Replace lmLog by logger-> (#857)
This commit is contained in:
parent
b7d4dac6ea
commit
deb28bc9cb
|
@ -35,6 +35,7 @@ lib/Lemonldap/NG/Common/Crypto.pm
|
|||
lib/Lemonldap/NG/Common/FormEncode.pm
|
||||
lib/Lemonldap/NG/Common/Logger/Apache2.pm
|
||||
lib/Lemonldap/NG/Common/Logger/Std.pm
|
||||
lib/Lemonldap/NG/Common/Logger/Syslog.pm
|
||||
lib/Lemonldap/NG/Common/Module.pm
|
||||
lib/Lemonldap/NG/Common/Notifications.pm
|
||||
lib/Lemonldap/NG/Common/Notifications/DBI.pm
|
||||
|
|
|
@ -173,7 +173,7 @@ sub getConf {
|
|||
unless ( ref( $self->{refLocalStorage} ) ) {
|
||||
$msg .= "Get remote configuration (localStorage unavailable).\n";
|
||||
$r = $self->getDBConf($args);
|
||||
return undef unless ($r->{cfgNum});
|
||||
return undef unless ( $r->{cfgNum} );
|
||||
$self->setDefault( $r, $args->{localPrm} );
|
||||
$self->compactConf($r);
|
||||
}
|
||||
|
|
|
@ -96,14 +96,14 @@ sub store {
|
|||
|
||||
sub load {
|
||||
my ( $self, $cfgNum, $fields ) = @_;
|
||||
my ($f,$filename);
|
||||
my ( $f, $filename );
|
||||
if ( -e $self->_file($cfgNum) ) {
|
||||
$filename = $self->_file($cfgNum);
|
||||
}
|
||||
elsif ( -e "$self->{dirName}/lmConf-$cfgNum.js" ) {
|
||||
$filename = "$self->{dirName}/lmConf-$cfgNum.js";
|
||||
}
|
||||
if($filename) {
|
||||
if ($filename) {
|
||||
local $/ = '';
|
||||
my $ret;
|
||||
unless ( open FILE, $filename ) {
|
||||
|
|
|
@ -18,7 +18,7 @@ sub compactConf {
|
|||
$keep{$mod} = 1;
|
||||
}
|
||||
if ( $keep{combination} ) {
|
||||
foreach my $md (keys %{$conf->{combModules}}) {
|
||||
foreach my $md ( keys %{ $conf->{combModules} } ) {
|
||||
$_ = $conf->{combModules}->{$md}->{type};
|
||||
s/^(\w+).*$/lc($1)/e;
|
||||
s/OpenIDConnect/oidc/i;
|
||||
|
@ -35,7 +35,7 @@ sub compactConf {
|
|||
}
|
||||
}
|
||||
}
|
||||
foreach my $key (keys %$authParameters) {
|
||||
foreach my $key ( keys %$authParameters ) {
|
||||
my $mod = $key;
|
||||
$mod =~ s/Params$//;
|
||||
unless ( $keep{$mod} ) {
|
||||
|
|
|
@ -28,14 +28,14 @@ extends 'Lemonldap::NG::Common::Conf::AccessLib';
|
|||
#@return keyvalue (string, int or hashref)
|
||||
sub getConfKey {
|
||||
my ( $self, $req, $key, @args ) = @_;
|
||||
$self->lmLog( "Search for $key in conf", 'debug' );
|
||||
$self->logger->debug("Search for $key in conf");
|
||||
|
||||
# Verify that cfgNum has been asked
|
||||
unless ( defined $req->params('cfgNum') ) {
|
||||
$req->error("Missing configuration number");
|
||||
return undef;
|
||||
}
|
||||
$self->lmLog( "Cfgnum set to " . $req->params('cfgNum'), 'debug' );
|
||||
$self->logger->debug( "Cfgnum set to " . $req->params('cfgNum') );
|
||||
|
||||
# when 'latest' => replace by last cfgNum
|
||||
if ( $req->params('cfgNum') eq 'latest' ) {
|
||||
|
@ -117,7 +117,7 @@ sub getConfByNum {
|
|||
#@return PSGI JSON response
|
||||
sub complexNodesRoot {
|
||||
my ( $self, $req, $query, $tpl ) = @_;
|
||||
$self->lmLog( "Query for $query template keys", 'debug' );
|
||||
$self->logger->debug("Query for $query template keys");
|
||||
|
||||
my $tmp = $self->getConfKey( $req, $query );
|
||||
return $self->sendError( $req, undef, 400 ) if ( $req->error );
|
||||
|
@ -170,7 +170,7 @@ sub virtualHosts {
|
|||
my ( $id, $resp ) = ( 1, [] );
|
||||
my $vhk = eval { $self->getConfKey( $req, $query )->{$vh} } // {};
|
||||
return $self->sendError( $req, undef, 400 ) if ( $req->error );
|
||||
$self->lmLog( "Query for $vh/$query keys", 'debug' );
|
||||
$self->logger->debug("Query for $vh/$query keys");
|
||||
|
||||
# Keys are ordered except 'default' which must be at the end
|
||||
foreach my $r (
|
||||
|
@ -210,7 +210,7 @@ sub virtualHosts {
|
|||
return $self->sendJSONresponse( $req, $resp );
|
||||
}
|
||||
elsif ( $query =~ /^vhost(?:(?:Aliase|Http)s|Maintenance|Port|Type)$/ ) {
|
||||
$self->lmLog( "Query for $vh/$query key", 'debug' );
|
||||
$self->logger->debug("Query for $vh/$query key");
|
||||
|
||||
# TODO: verify how this is done actually
|
||||
my $k1 = $self->getConfKey( $req, 'vhostOptions' );
|
||||
|
@ -593,14 +593,14 @@ sub combModules {
|
|||
foreach my $mod ( keys %$val ) {
|
||||
my $tmp;
|
||||
$tmp->{title} = $mod;
|
||||
$tmp->{id} = "combModules/$mod";
|
||||
$tmp->{type} = 'cmbModule';
|
||||
$tmp->{id} = "combModules/$mod";
|
||||
$tmp->{type} = 'cmbModule';
|
||||
$tmp->{data}->{$_} = $val->{$mod}->{$_} foreach (qw(type for));
|
||||
my $over = $val->{$mod}->{over} // {};
|
||||
$tmp->{data}->{over} = [ map { [ $_, $over->{$_} ] } keys %$over ];
|
||||
push @$res, $tmp;
|
||||
}
|
||||
return $self->sendJSONresponse($req,$res);
|
||||
return $self->sendJSONresponse( $req, $res );
|
||||
}
|
||||
|
||||
# 33 - Root queries
|
||||
|
|
|
@ -2,7 +2,7 @@ package Lemonldap::NG::Common::Logger::Apache2;
|
|||
|
||||
use Apache2::ServerRec;
|
||||
|
||||
sub new{
|
||||
sub new {
|
||||
return bless {}, shift;
|
||||
}
|
||||
|
||||
|
@ -10,6 +10,6 @@ sub AUTOLOAD {
|
|||
shift;
|
||||
$AUTOLOAD =~ s/.*:://;
|
||||
return Apache2::ServerRec->log->$AUTOLOAD(@_);
|
||||
};
|
||||
}
|
||||
|
||||
1;
|
||||
|
|
|
@ -22,7 +22,7 @@ sub new {
|
|||
$name = 'warning' if ( $_ eq 'warn' );
|
||||
$name = 'err' if ( $_ eq 'error' );
|
||||
eval qq'sub $_ {syslog("$name|".\$_[0]->{facility},\$_[1])}';
|
||||
die $@ if($@);
|
||||
die $@ if ($@);
|
||||
}
|
||||
else {
|
||||
eval qq'sub $_ {1}';
|
||||
|
|
|
@ -5,16 +5,14 @@ use Mouse;
|
|||
|
||||
our $VERSION = '2.0.0';
|
||||
|
||||
# Object that provides lmLog and error methods (typically PSGI object)
|
||||
# Object that provides loggers and error methods (typically PSGI object)
|
||||
has p => ( is => 'rw', weak_ref => 1 );
|
||||
|
||||
# Lemonldap::NG configuration hash ref
|
||||
has conf => ( is => 'rw', weak_ref => 1 );
|
||||
|
||||
sub lmLog {
|
||||
my $self = shift;
|
||||
return $self->p->lmLog(@_);
|
||||
}
|
||||
has logger => ( is => 'ro', default => sub { $_[0]->{p}->logger } );
|
||||
has userLogger => ( is => 'ro', default => sub { $_[0]->{p}->userLogger } );
|
||||
|
||||
sub error {
|
||||
my $self = shift;
|
||||
|
|
|
@ -14,9 +14,10 @@ use Encode;
|
|||
our $VERSION = '2.0.0';
|
||||
|
||||
extends 'Lemonldap::NG::Common::Notifications';
|
||||
|
||||
sub import {
|
||||
shift;
|
||||
return Lemonldap::NG::Common::Notifications->import(@_)
|
||||
return Lemonldap::NG::Common::Notifications->import(@_);
|
||||
}
|
||||
|
||||
has dbiTable => (
|
||||
|
@ -32,7 +33,7 @@ has dbiChain => (
|
|||
has dbiUser => (
|
||||
is => 'ro',
|
||||
default => sub {
|
||||
$_[0]->{p}->lmLog( 'Warning: "dbiUser" parameter is not set', 'warn' );
|
||||
$_[0]->{p}->logger->warn('Warning: "dbiUser" parameter is not set');
|
||||
return '';
|
||||
}
|
||||
);
|
||||
|
@ -49,7 +50,7 @@ has _dbh => (
|
|||
$self->{dbiChain}, $self->{dbiUser},
|
||||
$self->{dbiPassword}, { RaiseError => 0 }
|
||||
);
|
||||
$self->lmLog( $DBI::errstr, 'error' ) unless ($r);
|
||||
$self->logger->error($DBI::errstr) unless ($r);
|
||||
return $r;
|
||||
}
|
||||
);
|
||||
|
@ -83,7 +84,7 @@ sub get {
|
|||
&getIdentifier( $self, $h->{uid}, $h->{ref}, $h->{date} );
|
||||
$result->{$identifier} = $xml;
|
||||
}
|
||||
$self->lmLog( $self->sth->err(), 'warn' ) if ( $self->sth->err() );
|
||||
$self->logger->warn( $self->sth->err() ) if ( $self->sth->err() );
|
||||
return $result;
|
||||
}
|
||||
|
||||
|
@ -104,7 +105,7 @@ sub getAll {
|
|||
condition => $h->{condition}
|
||||
};
|
||||
}
|
||||
$self->lmLog( $self->sth->err(), 'warn' ) if ( $self->sth->err() );
|
||||
$self->logger->warn( $self->sth->err() ) if ( $self->sth->err() );
|
||||
return $result;
|
||||
}
|
||||
|
||||
|
@ -115,7 +116,7 @@ sub delete {
|
|||
my ( $self, $myref ) = @_;
|
||||
my ( $d, $u, $r );
|
||||
unless ( ( $d, $u, $r ) = ( $myref =~ /^([^#]+)#(.+?)#(.+)$/ ) ) {
|
||||
$self->lmLog( "Bad reference $myref", 'warn' );
|
||||
$self->logger->warn("Bad reference $myref");
|
||||
return 0;
|
||||
}
|
||||
my @ts = localtime();
|
||||
|
@ -136,7 +137,7 @@ sub purge {
|
|||
my ( $self, $myref, $force ) = @_;
|
||||
my ( $d, $u, $r );
|
||||
unless ( ( $d, $u, $r ) = ( $myref =~ /^([^#]+)#(.+?)#(.+)$/ ) ) {
|
||||
$self->lmLog( "Bad reference $myref", 'warn' );
|
||||
$self->logger->warn("Bad reference $myref");
|
||||
return 0;
|
||||
}
|
||||
|
||||
|
@ -186,7 +187,7 @@ sub getDone {
|
|||
$result->{"$h->{date}#$h->{uid}#$h->{ref}"} =
|
||||
{ notified => $done, uid => $h->{uid}, ref => $h->{ref}, };
|
||||
}
|
||||
$self->lmLog( $self->sth->err(), 'warn' ) if ( $self->sth->err() );
|
||||
$self->logger->warn( $self->sth->err() ) if ( $self->sth->err() );
|
||||
return $result;
|
||||
}
|
||||
|
||||
|
@ -197,12 +198,12 @@ sub _execute {
|
|||
my ( $self, $query, @args ) = @_;
|
||||
my $dbh = $self->_dbh or return 0;
|
||||
unless ( $self->sth( $dbh->prepare($query) ) ) {
|
||||
$self->lmLog( $dbh->errstr(), 'warn' );
|
||||
$self->logger->warn( $dbh->errstr() );
|
||||
return 0;
|
||||
}
|
||||
my $tmp;
|
||||
unless ( $tmp = $self->sth->execute(@args) ) {
|
||||
$self->lmLog( $self->sth->errstr(), 'warn' );
|
||||
$self->logger->warn( $self->sth->errstr() );
|
||||
return 0;
|
||||
}
|
||||
return $tmp;
|
||||
|
|
|
@ -48,8 +48,8 @@ sub get {
|
|||
my $files;
|
||||
foreach my $file (@notif) {
|
||||
unless ( open F, $self->{dirName} . "/$file" ) {
|
||||
$self->lmLog( "Unable to read notification $self->{dirName}/$file",
|
||||
'error' );
|
||||
$self->logger->error(
|
||||
"Unable to read notification $self->{dirName}/$file");
|
||||
next;
|
||||
}
|
||||
$files->{$file} = join( '', <F> );
|
||||
|
|
|
@ -9,7 +9,7 @@ sub newNotification {
|
|||
my $json;
|
||||
eval { $json = from_json($jsonString) };
|
||||
if ( my $err = $@ ) {
|
||||
eval { $self->lmLog( "Unable to decode JSON file: $err", 'error' ) };
|
||||
eval { $self->logger->error("Unable to decode JSON file: $err") };
|
||||
return 0;
|
||||
}
|
||||
my @notifs;
|
||||
|
@ -21,7 +21,7 @@ sub newNotification {
|
|||
foreach (qw(date uid reference)) {
|
||||
my $tmp;
|
||||
unless ( $tmp = $notif->{$_} ) {
|
||||
$self->lmLog( "Attribute $_ is missing", 'error' );
|
||||
$self->logger->error("Attribute $_ is missing");
|
||||
return 0;
|
||||
}
|
||||
push @datas, $tmp;
|
||||
|
@ -44,16 +44,14 @@ sub deleteNotification {
|
|||
|
||||
# Check input parameters
|
||||
unless ( $uid and $myref ) {
|
||||
$self->lmLog(
|
||||
'REST service "delete notification" called without all parameters',
|
||||
'error'
|
||||
$self->userLogger->error(
|
||||
'REST service "delete notification" called without all parameters'
|
||||
);
|
||||
return 0;
|
||||
}
|
||||
|
||||
$self->lmLog(
|
||||
"REST service deleteNotification called for uid $uid and reference $myref",
|
||||
'debug'
|
||||
$self->logger->debug(
|
||||
"REST service deleteNotification called for uid $uid and reference $myref"
|
||||
);
|
||||
|
||||
# Get notifications
|
||||
|
@ -79,7 +77,7 @@ sub deleteNotification {
|
|||
# Delete the notification (really)
|
||||
foreach (@data) {
|
||||
if ( $self->purge( $_, 1 ) ) {
|
||||
$self->lmLog( "Notification $_ was removed.", 'debug' );
|
||||
$self->logger->debug("Notification $_ was removed.");
|
||||
$count++;
|
||||
}
|
||||
}
|
||||
|
|
|
@ -16,9 +16,10 @@ use utf8;
|
|||
our $VERSION = '2.0.0';
|
||||
|
||||
extends 'Lemonldap::NG::Common::Notifications';
|
||||
|
||||
sub import {
|
||||
shift;
|
||||
return Lemonldap::NG::Common::Notifications->import(@_)
|
||||
return Lemonldap::NG::Common::Notifications->import(@_);
|
||||
}
|
||||
|
||||
has ldapServer => (
|
||||
|
@ -38,7 +39,7 @@ has ldapConfBase => (
|
|||
has ldapBindDN => (
|
||||
is => 'ro',
|
||||
default => sub {
|
||||
$_[0]->p->lmLog( 'Warning: "ldapBindDN" parameter is not set', 'warn' );
|
||||
$_[0]->p->logger->warn('Warning: "ldapBindDN" parameter is not set');
|
||||
return '';
|
||||
}
|
||||
);
|
||||
|
@ -69,7 +70,7 @@ sub get {
|
|||
my $identifier =
|
||||
&getIdentifier( $self, $f->{uid}, $f->{ref}, $f->{date} );
|
||||
$result->{$identifier} = "$xml";
|
||||
$self->lmLog( "notification $identifier found", 'info' );
|
||||
$self->logger->info("notification $identifier found");
|
||||
|
||||
}
|
||||
return $result;
|
||||
|
@ -113,7 +114,7 @@ sub delete {
|
|||
my ( $self, $myref ) = @_;
|
||||
my ( $d, $u, $r );
|
||||
unless ( ( $d, $u, $r ) = ( $myref =~ /^([^#]+)#(.+?)#(.+)$/ ) ) {
|
||||
$self->lmLog( "Bad reference $myref", 'warn' );
|
||||
$self->logger->warn("Bad reference $myref");
|
||||
return 0;
|
||||
}
|
||||
my @ts = localtime();
|
||||
|
@ -140,7 +141,7 @@ sub purge {
|
|||
my ( $self, $myref, $force ) = @_;
|
||||
my ( $d, $u, $r );
|
||||
unless ( ( $d, $u, $r ) = ( $myref =~ /^([^#]+)#(.+?)#(.+)$/ ) ) {
|
||||
$self->lmLog( "Bad reference $myref", 'warn' );
|
||||
$self->logger->warn("Bad reference $myref");
|
||||
return 0;
|
||||
}
|
||||
|
||||
|
@ -235,7 +236,7 @@ sub _search {
|
|||
);
|
||||
|
||||
if ( $search->code ) {
|
||||
$self->lmLog( "search error: " . $search->error(), 'error' );
|
||||
$self->logger->error( "search error: " . $search->error() );
|
||||
return ();
|
||||
}
|
||||
|
||||
|
@ -385,7 +386,7 @@ sub _ldap {
|
|||
);
|
||||
|
||||
unless ($ldap) {
|
||||
$self->lmLog( 'connexion failed: ' . $@, 'error' );
|
||||
$self->logger->error( 'connexion failed: ' . $@ );
|
||||
return;
|
||||
}
|
||||
|
||||
|
@ -396,7 +397,7 @@ sub _ldap {
|
|||
$h{capath} = $self->{caPath} if ( $self->{caPath} );
|
||||
my $start_tls = $ldap->start_tls(%h);
|
||||
if ( $start_tls->code ) {
|
||||
$self->lmLog( 'tls failed: ' . $start_tls->error, 'error' );
|
||||
$self->logger->error( 'tls failed: ' . $start_tls->error );
|
||||
return;
|
||||
}
|
||||
}
|
||||
|
@ -405,7 +406,7 @@ sub _ldap {
|
|||
my $bind =
|
||||
$ldap->bind( $self->{ldapBindDN}, password => $self->{ldapBindPassword} );
|
||||
if ( $bind->code ) {
|
||||
$self->lmLog( 'bind failed: ' . $bind->error, 'error' );
|
||||
$self->logger->error( 'bind failed: ' . $bind->error );
|
||||
return;
|
||||
}
|
||||
|
||||
|
|
|
@ -19,7 +19,7 @@ sub newNotification {
|
|||
my ( $self, $xml ) = @_;
|
||||
eval { $xml = $self->parser->parse_string($xml) };
|
||||
if ( my $err = $@ ) {
|
||||
eval { $self->lmLog( "Unable to read XML file : $err", 'error' ) };
|
||||
eval { $self->logger->error("Unable to read XML file : $err") };
|
||||
return 0;
|
||||
}
|
||||
my @notifs;
|
||||
|
@ -33,7 +33,7 @@ sub newNotification {
|
|||
foreach (qw(date uid reference)) {
|
||||
my $tmp;
|
||||
unless ( $tmp = $notif->getAttribute($_) ) {
|
||||
$self->lmLog( "Attribute $_ is missing", 'error' );
|
||||
$self->logger->error("Attribute $_ is missing");
|
||||
return 0;
|
||||
}
|
||||
push @datas, $tmp;
|
||||
|
@ -75,15 +75,13 @@ sub deleteNotification {
|
|||
|
||||
# Check input parameters
|
||||
unless ( $uid and $myref ) {
|
||||
$self->lmLog(
|
||||
"SOAP service deleteNotification called without all parameters",
|
||||
'error' );
|
||||
$self->userLogger->error(
|
||||
"SOAP service deleteNotification called without all parameters");
|
||||
return 0;
|
||||
}
|
||||
|
||||
$self->lmLog(
|
||||
"SOAP service deleteNotification called for uid $uid and reference $myref",
|
||||
'debug'
|
||||
$self->logger->debug(
|
||||
"SOAP service deleteNotification called for uid $uid and reference $myref"
|
||||
);
|
||||
|
||||
# Get notifications
|
||||
|
@ -111,7 +109,7 @@ sub deleteNotification {
|
|||
# Delete the notification (really)
|
||||
foreach (@data) {
|
||||
if ( $self->purge( $_, 1 ) ) {
|
||||
$self->lmLog( "Notification $_ was removed.", 'debug' );
|
||||
$self->logger->debug("Notification $_ was removed.");
|
||||
$count++;
|
||||
}
|
||||
}
|
||||
|
|
|
@ -186,7 +186,7 @@ body{background:#000;color:#fff;padding:10px 50px;font-family:sans-serif;}a{text
|
|||
|
||||
sub abort {
|
||||
my ( $self, $err ) = @_;
|
||||
$self->lmLog( $err, 'error' );
|
||||
$self->logger->error($err);
|
||||
return sub {
|
||||
$self->sendError( Lemonldap::NG::Common::PSGI::Request->new( $_[0] ),
|
||||
$err, 500 );
|
||||
|
@ -233,7 +233,7 @@ sub sendHtml {
|
|||
return $self->sendError( $req, "Unable to read $template", 500 )
|
||||
unless ( -r $template and -f $template );
|
||||
eval {
|
||||
$self->lmLog( "Starting HTML generation using $template", 'debug' );
|
||||
$self->logger->debug("Starting HTML generation using $template");
|
||||
require HTML::Template;
|
||||
$htpl = HTML::Template->new(
|
||||
filehandle => IO::File->new($template),
|
||||
|
@ -263,7 +263,7 @@ sub sendHtml {
|
|||
|
||||
# Set headers
|
||||
my $hdrs = [ 'Content-Type' => 'text/html', @{ $args{headers} } ];
|
||||
$self->lmLog( "Sending $template", 'debug' );
|
||||
$self->logger->debug("Sending $template");
|
||||
return [ $args{code}, $hdrs, [ $htpl->output() ] ];
|
||||
}
|
||||
|
||||
|
|
|
@ -37,8 +37,8 @@ sub new {
|
|||
sub uri { $_[0]->{uri} }
|
||||
|
||||
sub userData {
|
||||
my($self,$v)=@_;
|
||||
return $_[0]->{userData} = $v if($v);
|
||||
my ( $self, $v ) = @_;
|
||||
return $_[0]->{userData} = $v if ($v);
|
||||
return $_[0]->{userData} || { _whatToTrace => $_[0]->user, };
|
||||
}
|
||||
|
||||
|
|
|
@ -22,7 +22,7 @@ sub addRoute {
|
|||
my ( $self, $word, $dest, $methods, $transform ) = (@_);
|
||||
$methods ||= [qw(GET POST PUT DELETE)];
|
||||
foreach my $method (@$methods) {
|
||||
$self->lmLog( "Add $method route:", 'debug' );
|
||||
$self->logger->debug("Add $method route:");
|
||||
$self->genRoute( $self->routes->{$method}, $word, $dest, $transform );
|
||||
}
|
||||
return $self;
|
||||
|
@ -51,7 +51,7 @@ sub genRoute {
|
|||
}
|
||||
if ( $dest =~ /^(.+)\.html$/ ) {
|
||||
my $tpl = $1 or die;
|
||||
$self->lmLog( "route $dest will use $tpl", 'debug' );
|
||||
$self->logger->debug("route $dest will use $tpl");
|
||||
$routes->{$word} = sub { $self->sendHtml( $_[1], $tpl ) };
|
||||
return;
|
||||
}
|
||||
|
@ -85,7 +85,7 @@ sub genRoute {
|
|||
else {
|
||||
die "$dest() isn't a method";
|
||||
}
|
||||
$self->lmLog( "route $word added", 'debug' );
|
||||
$self->logger->debug("route $word added");
|
||||
}
|
||||
}
|
||||
|
||||
|
@ -121,7 +121,7 @@ sub handler {
|
|||
$last = 1 if ( $_ =~ /[^\.\w]/ );
|
||||
( $last or /^$/ ? 0 : 1 );
|
||||
} split /\//, $req->path();
|
||||
$self->lmLog( "Start routing " . ( $path[0] // 'default route' ), 'debug' );
|
||||
$self->logger->debug( "Start routing " . ( $path[0] // 'default route' ) );
|
||||
|
||||
if ( !@path and $self->defaultRoute ) {
|
||||
@path = ( $self->defaultRoute );
|
||||
|
|
|
@ -125,8 +125,7 @@ sub _tie_session {
|
|||
|
||||
eval {
|
||||
# SOAP session module must be directly tied
|
||||
if ( $self->storageModule =~
|
||||
/^Lemonldap::NG::Common::Apache::Session/ )
|
||||
if ( $self->storageModule =~ /^Lemonldap::NG::Common::Apache::Session/ )
|
||||
{
|
||||
tie %h, $self->storageModule, $self->id,
|
||||
{ %{ $self->options }, %$options };
|
||||
|
|
|
@ -59,7 +59,7 @@ ok(
|
|||
'if(0) then [A,B] else [A,B] and [B,C]' );
|
||||
|
||||
while ( my $expr = shift @tests ) {
|
||||
ok( [getok($expr)]->[0] == 0, qq{"$expr" returns PE_OK as auth result} )
|
||||
ok( [ getok($expr) ]->[0] == 0, qq{"$expr" returns PE_OK as auth result} )
|
||||
or print STDERR "Expect 0, get " . getok($expr) . "\n";
|
||||
}
|
||||
|
||||
|
|
|
@ -36,7 +36,6 @@ eval { require threads::shared; };
|
|||
|
||||
our $request; # Apache2::RequestRec object for current request
|
||||
|
||||
|
||||
#*run = \&Lemonldap::NG::Handler::Main::run;
|
||||
|
||||
## @rmethod protected int redirectFilter(string url, Apache2::Filter f)
|
||||
|
|
|
@ -74,7 +74,7 @@ sub createSession {
|
|||
my $creds = $class->header_in('Authorization');
|
||||
$creds =~ s/^Basic\s+//;
|
||||
my ( $user, $pwd ) = ( decode_base64($creds) =~ /^(.*?):(.*)$/ );
|
||||
$class->lmLog( "AuthBasic authentication for user: $user", 'debug' );
|
||||
$class->logger->debug("AuthBasic authentication for user: $user");
|
||||
my $soapRequest = $soapClient->getCookies( $user, $pwd, $id );
|
||||
|
||||
# Catch SOAP errors
|
||||
|
@ -87,11 +87,8 @@ sub createSession {
|
|||
|
||||
# If authentication failed, display error
|
||||
if ( $res->{errorCode} ) {
|
||||
$class->lmLog(
|
||||
"Authentication failed for $user: "
|
||||
. $soapClient->error( $res->{errorCode}, 'en' )->result(),
|
||||
'notice'
|
||||
);
|
||||
$class->userLogger->notice( "Authentication failed for $user: "
|
||||
. $soapClient->error( $res->{errorCode}, 'en' )->result() );
|
||||
return 0;
|
||||
}
|
||||
else {
|
||||
|
@ -104,7 +101,7 @@ sub createSession {
|
|||
# Hide user credentials to the protected application
|
||||
sub hideCookie {
|
||||
my $class = shift;
|
||||
$class->lmLog( "removing Authorization header", 'debug' );
|
||||
$class->logger->debug("removing Authorization header");
|
||||
$class->unset_header_in('Authorization');
|
||||
}
|
||||
|
||||
|
|
|
@ -45,7 +45,7 @@ sub _run {
|
|||
|
||||
# Override _run() only if protection != 'none'
|
||||
if ( !$self->rule or $self->rule ne 'none' ) {
|
||||
$self->lmLog( 'PSGI app is protected', 'debug' );
|
||||
$self->logger->debug('PSGI app is protected');
|
||||
|
||||
# Handle requests
|
||||
# Developers, be careful: Only this part is executed at each request
|
||||
|
@ -56,13 +56,13 @@ sub _run {
|
|||
}
|
||||
|
||||
else {
|
||||
$self->lmLog( 'PSGI app is not protected', 'debug' );
|
||||
$self->logger->debug('PSGI app is not protected');
|
||||
|
||||
# Check if main handler initialization has been done
|
||||
unless ( $self->api->tsv ) {
|
||||
$self->lmLog( 'Checking conf', 'debug' );
|
||||
$self->logger->debug('Checking conf');
|
||||
eval { $self->api->checkConf() };
|
||||
$self->lmLog( $@, 'error' ) if ($@);
|
||||
$self->logger->error($@) if ($@);
|
||||
}
|
||||
|
||||
# Handle unprotected requests
|
||||
|
@ -83,7 +83,7 @@ sub status {
|
|||
# Check if main handler initialization has been done
|
||||
unless ( %$self->api->tsv ) {
|
||||
eval { $self->api->checkConf() };
|
||||
$self->lmLog( $@, 'error' ) if ($@);
|
||||
$self->logger->error($@) if ($@);
|
||||
}
|
||||
return sub {
|
||||
my $req = Lemonldap::NG::Common::PSGI::Request->new( $_[0] );
|
||||
|
@ -100,7 +100,7 @@ sub reload {
|
|||
# Check if main handler initialization has been done
|
||||
unless ( %$self->api->tsv ) {
|
||||
eval { $self->api->checkConf() };
|
||||
$self->lmLog( $@, 'error' ) if ($@);
|
||||
$self->logger->error($@) if ($@);
|
||||
}
|
||||
return sub {
|
||||
my $req = Lemonldap::NG::Common::PSGI::Request->new( $_[0] );
|
||||
|
@ -134,7 +134,7 @@ sub _authAndTrace {
|
|||
return [ $res, $req->{respHeaders}, [] ];
|
||||
}
|
||||
else {
|
||||
$self->lmLog( 'User authenticated, calling handler()', 'debug' );
|
||||
$self->logger->debug('User authenticated, calling handler()');
|
||||
$res = $self->handler($req);
|
||||
push @{ $res->[1] }, @{ $req->{respHeaders} };
|
||||
}
|
||||
|
|
|
@ -56,30 +56,28 @@ sub run {
|
|||
foreach (qw/secureTokenMemcachedServers secureTokenUrls/) {
|
||||
no strict 'refs';
|
||||
unless ( ref ${$_} eq "ARRAY" ) {
|
||||
$class->lmLog( "Transform $_ value into an array reference",
|
||||
'debug' );
|
||||
$class->logger->debug("Transform $_ value into an array reference");
|
||||
my @array = split( /\s+/, ${$_} );
|
||||
${$_} = \@array;
|
||||
}
|
||||
}
|
||||
|
||||
# Display found values in debug mode
|
||||
$class->lmLog( "secureTokenMemcachedServers: @$secureTokenMemcachedServers",
|
||||
'debug' );
|
||||
$class->lmLog( "secureTokenExpiration: $secureTokenExpiration", 'debug' );
|
||||
$class->lmLog( "secureTokenAttribute: $secureTokenAttribute", 'debug' );
|
||||
$class->lmLog( "secureTokenUrls: @$secureTokenUrls", 'debug' );
|
||||
$class->lmLog( "secureTokenHeader: $secureTokenHeader", 'debug' );
|
||||
$class->lmLog( "secureTokenAllowOnError: $secureTokenAllowOnError",
|
||||
'debug' );
|
||||
$class->logger->debug(
|
||||
"secureTokenMemcachedServers: @$secureTokenMemcachedServers");
|
||||
$class->logger->debug("secureTokenExpiration: $secureTokenExpiration");
|
||||
$class->logger->debug("secureTokenAttribute: $secureTokenAttribute");
|
||||
$class->logger->debug("secureTokenUrls: @$secureTokenUrls");
|
||||
$class->logger->debug("secureTokenHeader: $secureTokenHeader");
|
||||
$class->logger->debug("secureTokenAllowOnError: $secureTokenAllowOnError");
|
||||
|
||||
# Return if we are not on a secure token URL
|
||||
my $checkurl = 0;
|
||||
foreach (@$secureTokenUrls) {
|
||||
if ( $uri =~ m#$_# ) {
|
||||
$checkurl = 1;
|
||||
$class->lmLog( "URL $uri detected as an Secure Token URL (rule $_)",
|
||||
'debug' );
|
||||
$class->logger->debug(
|
||||
"URL $uri detected as an Secure Token URL (rule $_)");
|
||||
last;
|
||||
}
|
||||
}
|
||||
|
@ -138,7 +136,7 @@ sub _createMemcachedConnection {
|
|||
'debug' => 0,
|
||||
};
|
||||
|
||||
$class->lmLog( "Memcached connection created", 'debug' );
|
||||
$class->logger->debug("Memcached connection created");
|
||||
|
||||
return $memd;
|
||||
}
|
||||
|
@ -162,7 +160,7 @@ sub _setToken {
|
|||
return;
|
||||
}
|
||||
|
||||
$class->lmLog( "Set $value in token $key", 'info' );
|
||||
$class->logger->info("Set $value in token $key");
|
||||
|
||||
return $key;
|
||||
}
|
||||
|
@ -180,7 +178,7 @@ sub _deleteToken {
|
|||
$class->( "Unable to delete secure token $key", 'error' );
|
||||
}
|
||||
else {
|
||||
$class->lmLog( "Token $key deleted", 'info' );
|
||||
$class->logger->info("Token $key deleted");
|
||||
}
|
||||
|
||||
return $res;
|
||||
|
@ -228,12 +226,12 @@ sub _returnError {
|
|||
|
||||
# Redirect or Forbidden?
|
||||
if ( $class->tsv->{useRedirectOnError} ) {
|
||||
$class->lmLog( "Use redirect for error", 'debug' );
|
||||
$class->logger->debug("Use redirect for error");
|
||||
return $class->goToPortal( '/', 'lmError=500' );
|
||||
}
|
||||
|
||||
else {
|
||||
$class->lmLog( "Return error", 'debug' );
|
||||
$class->logger->debug("Return error");
|
||||
return $class->SERVER_ERROR;
|
||||
}
|
||||
}
|
||||
|
|
|
@ -157,7 +157,7 @@ sub run {
|
|||
if ( my ( $cacheModule, $cacheOptions ) = ( $1, $2 ) ) {
|
||||
eval "use $cacheModule;"
|
||||
. "\$cache = new $cacheModule(\$cacheOptions);";
|
||||
print STDERR "$@\n" if ($@); # TODO: use lmLog instead
|
||||
print STDERR "$@\n" if ($@); # TODO: use logger instead
|
||||
}
|
||||
else {
|
||||
$cache = undef;
|
||||
|
|
|
@ -18,8 +18,8 @@ our $VERSION = '2.0.0';
|
|||
|
||||
# Overload main run method
|
||||
sub run {
|
||||
my($class,$req) = @_;
|
||||
my $ret = $class->SUPER::run($req);
|
||||
my ( $class, $req ) = @_;
|
||||
my $ret = $class->SUPER::run($req);
|
||||
|
||||
# Continue only if user is authorized
|
||||
return $ret unless ( $ret == $class->OK );
|
||||
|
@ -37,19 +37,19 @@ sub run {
|
|||
my $timeout = $localConfig->{'timeout'} || '0';
|
||||
|
||||
# Display found values in debug mode
|
||||
$class->lmLog( "zimbraPreAuthKey: $zimbraPreAuthKey", 'debug' );
|
||||
$class->lmLog( "zimbraAccountKey: $zimbraAccountKey", 'debug' );
|
||||
$class->lmLog( "zimbraBy: $zimbraBy", 'debug' );
|
||||
$class->lmLog( "zimbraUrl: $zimbraUrl", 'debug' );
|
||||
$class->lmLog( "zimbraSsoUrl: $zimbraSsoUrl", 'debug' );
|
||||
$class->lmLog( "timeout: $timeout", 'debug' );
|
||||
$class->logger->debug("zimbraPreAuthKey: $zimbraPreAuthKey");
|
||||
$class->logger->debug("zimbraAccountKey: $zimbraAccountKey");
|
||||
$class->logger->debug("zimbraBy: $zimbraBy");
|
||||
$class->logger->debug("zimbraUrl: $zimbraUrl");
|
||||
$class->logger->debug("zimbraSsoUrl: $zimbraSsoUrl");
|
||||
$class->logger->debug("timeout: $timeout");
|
||||
|
||||
# Return if we are not on a Zimbra SSO URI
|
||||
return $class->OK unless ( $uri =~ $zimbraSsoUrl );
|
||||
|
||||
# Check mandatory parameters
|
||||
unless ($zimbraPreAuthKey) {
|
||||
$class->lmLog( "No Zimbra preauth key configured", 'error' );
|
||||
$class->logger->error("No Zimbra preauth key configured");
|
||||
return $class->SERVER_ERROR;
|
||||
}
|
||||
|
||||
|
@ -88,15 +88,14 @@ sub _buildZimbraPreAuthUrl {
|
|||
my $computed_value =
|
||||
hmac_sha1_hex( "$account|$by|$expires|$timestamp", $key );
|
||||
|
||||
$class->lmLog(
|
||||
"Compute value $account|$by|$expires|$timestamp into $computed_value",
|
||||
'debug' );
|
||||
$class->logger->debug(
|
||||
"Compute value $account|$by|$expires|$timestamp into $computed_value");
|
||||
|
||||
# Build PreAuth URL
|
||||
my $zimbra_url =
|
||||
"$url?account=$account&by=$by×tamp=$timestamp&expires=$expires&preauth=$computed_value";
|
||||
|
||||
$class->lmLog( "Build Zimbra URL: $zimbra_url", 'debug' );
|
||||
$class->logger->debug("Build Zimbra URL: $zimbra_url");
|
||||
|
||||
return $zimbra_url;
|
||||
}
|
||||
|
|
|
@ -38,7 +38,7 @@ sub build_jail {
|
|||
$self->customFunctions ? split( /\s+/, $self->customFunctions ) : ();
|
||||
foreach (@t) {
|
||||
no warnings 'redefine';
|
||||
$api->lmLog( "Custom function : $_", 'debug' );
|
||||
$api->logger->debug("Custom function : $_");
|
||||
my $sub = $_;
|
||||
unless (/::/) {
|
||||
$sub = "$self\::$_";
|
||||
|
@ -51,7 +51,7 @@ sub build_jail {
|
|||
my \$uri = $api\::uri_with_args();
|
||||
return $sub(\$uri,\@_)
|
||||
}";
|
||||
$api->lmLog( $@, 'error' ) if ($@);
|
||||
$api->logger->error($@) if ($@);
|
||||
$_ = "&$_";
|
||||
}
|
||||
|
||||
|
@ -149,7 +149,8 @@ sub jail_reval {
|
|||
my $res;
|
||||
eval {
|
||||
$res = (
|
||||
SAFEWRAP and $self->useSafeJail
|
||||
SAFEWRAP
|
||||
and $self->useSafeJail
|
||||
? $self->jail->wrap_code_ref( $self->jail->reval($reval) )
|
||||
: $self->jail->reval($reval)
|
||||
);
|
||||
|
|
|
@ -37,37 +37,32 @@ sub checkConf {
|
|||
{ local => !$force, localPrm => $class->localConfig } );
|
||||
|
||||
unless ( ref($conf) ) {
|
||||
$class->lmLog(
|
||||
"$class: Unable to load configuration: $Lemonldap::NG::Common::Conf::msg",
|
||||
'error'
|
||||
$class->logger->error(
|
||||
"$class: Unable to load configuration: $Lemonldap::NG::Common::Conf::msg"
|
||||
);
|
||||
return $force ? 0 : $class->cfgNum ? 1 : 0;
|
||||
}
|
||||
|
||||
if ( !$class->cfgNum or $class->cfgNum != $conf->{cfgNum} ) {
|
||||
$class->lmLog(
|
||||
"Get configuration $conf->{cfgNum} ($Lemonldap::NG::Common::Conf::msg)",
|
||||
'debug'
|
||||
$class->logger->debug(
|
||||
"Get configuration $conf->{cfgNum} ($Lemonldap::NG::Common::Conf::msg)"
|
||||
);
|
||||
$class->lastCheck( time() );
|
||||
unless ( $class->cfgNum( $conf->{cfgNum} ) ) {
|
||||
$class->lmLog( 'No configuration available', 'error' );
|
||||
$class->logger->error('No configuration available');
|
||||
return 0;
|
||||
}
|
||||
$class->configReload($conf);
|
||||
}
|
||||
$class->lmLog( "$class: configuration is up to date", 'debug' );
|
||||
$class->logger->debug("$class: configuration is up to date");
|
||||
foreach (@_onReload) {
|
||||
my ( $obj, $sub ) = @$_;
|
||||
if ($obj) {
|
||||
$class->lmLog( 'Launching ' . ref($obj) . "->$sub(conf)", 'debug' );
|
||||
$class->logger->debug( 'Launching ' . ref($obj) . "->$sub(conf)" );
|
||||
unless ( $obj->$sub($conf) ) {
|
||||
$class->lmLog(
|
||||
"Underlying object can't load conf ("
|
||||
$class->logger->error( "Underlying object can't load conf ("
|
||||
. ref($obj)
|
||||
. "->$sub)",
|
||||
'error'
|
||||
);
|
||||
. "->$sub)" );
|
||||
}
|
||||
}
|
||||
}
|
||||
|
@ -83,7 +78,7 @@ sub checkConf {
|
|||
# @return Apache constant ($class->OK or $class->SERVER_ERROR)
|
||||
sub reload {
|
||||
my $class = shift;
|
||||
$class->lmLog( "Request for configuration reload", 'notice' );
|
||||
$class->logger->notice("Request for configuration reload");
|
||||
return $class->checkConf(1) ? $class->DONE : $class->SERVER_ERROR;
|
||||
}
|
||||
|
||||
|
@ -150,15 +145,15 @@ sub reload {
|
|||
# @param $tsv reference to the thread-shared parameters conf
|
||||
sub configReload {
|
||||
my ( $class, $conf ) = @_;
|
||||
$class->lmLog( "Loading configuration $conf->{cfgNum} for process $$",
|
||||
"info" );
|
||||
$class->logger->info(
|
||||
"Loading configuration $conf->{cfgNum} for process $$");
|
||||
|
||||
foreach my $sub (
|
||||
qw( jailInit defaultValuesInit portalInit locationRulesInit
|
||||
sessionStorageInit headersInit postUrlInit aliasInit )
|
||||
)
|
||||
{
|
||||
$class->lmLog( "Process $$ calls $sub", "debug" );
|
||||
$class->logger->debug("Process $$ calls $sub");
|
||||
$class->$sub($conf);
|
||||
}
|
||||
return 1;
|
||||
|
@ -211,8 +206,8 @@ sub defaultValuesInit {
|
|||
|
||||
# Keep default value if $val is negative
|
||||
if ( defined $val and $val >= 0 ) {
|
||||
$class->lmLog( "Options $opt for vhost $vhost: $val",
|
||||
'debug' );
|
||||
$class->logger->debug(
|
||||
"Options $opt for vhost $vhost: $val");
|
||||
$class->tsv->{$opt}->{$vhost} = $val;
|
||||
}
|
||||
}
|
||||
|
@ -233,7 +228,7 @@ sub defaultValuesInit {
|
|||
sub portalInit {
|
||||
my ( $class, $conf ) = @_;
|
||||
unless ( $conf->{portal} ) {
|
||||
$class->lmLog( "portal parameter required", 'error' );
|
||||
$class->logger->error("portal parameter required");
|
||||
return 0;
|
||||
}
|
||||
if ( $conf->{portal} =~ /[\$\(&\|"']/ ) {
|
||||
|
@ -267,11 +262,9 @@ sub locationRulesInit {
|
|||
my ( $cond, $prot ) = $class->conditionSub( $rules->{$url} );
|
||||
unless ($cond) {
|
||||
$class->tsv->{maintenance}->{$vhost} = 1;
|
||||
$class->lmLog(
|
||||
$class->logger->error(
|
||||
"Unable to build rule '$rules->{$url}': "
|
||||
. $class->tsv->{jail}->error,
|
||||
'error'
|
||||
);
|
||||
. $class->tsv->{jail}->error );
|
||||
next;
|
||||
}
|
||||
|
||||
|
@ -307,7 +300,7 @@ sub locationRulesInit {
|
|||
sub sessionStorageInit {
|
||||
my ( $class, $conf ) = @_;
|
||||
unless ( $class->tsv->{sessionStorageModule} = $conf->{globalStorage} ) {
|
||||
$class->lmLog( "globalStorage required", 'error' );
|
||||
$class->logger->error("globalStorage required");
|
||||
return 0;
|
||||
}
|
||||
eval "use " . $class->tsv->{sessionStorageModule};
|
||||
|
@ -355,10 +348,8 @@ sub headersInit {
|
|||
$class->buildSub($sub) )
|
||||
{
|
||||
$class->tsv->{maintenance}->{$vhost} = 1;
|
||||
$class->lmLog(
|
||||
"$class Unable to forge headers: " . $class->tsv->{jail}->error,
|
||||
'error'
|
||||
);
|
||||
$class->logger->error( "$class Unable to forge headers: "
|
||||
. $class->tsv->{jail}->error );
|
||||
}
|
||||
}
|
||||
return 1;
|
||||
|
@ -376,7 +367,7 @@ sub postUrlInit {
|
|||
# Browse all POST URI
|
||||
foreach my $url ( keys %{ $conf->{post}->{$vhost} } ) {
|
||||
my $d = $conf->{post}->{$vhost}->{$url};
|
||||
$class->lmLog( "Compiling POST data for $url", 'debug' );
|
||||
$class->logger->debug("Compiling POST data for $url");
|
||||
|
||||
# Where to POST
|
||||
$d->{target} ||= $url;
|
||||
|
@ -392,11 +383,9 @@ sub postUrlInit {
|
|||
$class->buildSub($sub) )
|
||||
{
|
||||
$class->tsv->{maintenance}->{$vhost} = 1;
|
||||
$class->lmLog(
|
||||
$class->logger->error(
|
||||
"$class: Unable to build post datas: "
|
||||
. $class->tsv->{jail}->error,
|
||||
'error'
|
||||
);
|
||||
. $class->tsv->{jail}->error );
|
||||
}
|
||||
|
||||
$class->tsv->{postFormParams}->{$vhost}->{$url} = $d;
|
||||
|
@ -457,8 +446,8 @@ sub conditionSub {
|
|||
if ( $cond =~ /^logout_app/i
|
||||
and not $class->isa('Lemonldap::NG::Handler::ApacheMP2::Main') )
|
||||
{
|
||||
$class->lmLog( "Rules logout_app and logout_app_sso require Apache>=2",
|
||||
'info' );
|
||||
$class->logger->info(
|
||||
"Rules logout_app and logout_app_sso require Apache>=2");
|
||||
return ( sub { 1 }, 0 );
|
||||
}
|
||||
|
||||
|
@ -509,11 +498,8 @@ sub conditionSub {
|
|||
$cond = $class->substitute($cond);
|
||||
my $sub;
|
||||
unless ( $sub = $class->buildSub($cond) ) {
|
||||
$class->lmLog(
|
||||
"$class: Unable to build condition ($cond): "
|
||||
. $class->tsv->{jail}->error,
|
||||
'error'
|
||||
);
|
||||
$class->logger->error( "$class: Unable to build condition ($cond): "
|
||||
. $class->tsv->{jail}->error );
|
||||
}
|
||||
|
||||
# Return sub and protected flag
|
||||
|
@ -530,7 +516,7 @@ sub aliasInit {
|
|||
if ( my $aliases = $conf->{vhostOptions}->{$vhost}->{vhostAliases} ) {
|
||||
foreach ( split /\s+/, $aliases ) {
|
||||
$class->tsv->{vhostAlias}->{$_} = $vhost;
|
||||
$class->lmLog( "Registering $_ as alias of $vhost", 'debug' );
|
||||
$class->logger->debug("Registering $_ as alias of $vhost");
|
||||
}
|
||||
}
|
||||
}
|
||||
|
|
|
@ -39,7 +39,7 @@ sub status {
|
|||
# Return Handler::Lib::Status output
|
||||
sub getStatus {
|
||||
my ($class) = @_;
|
||||
$class->lmLog( "Request for status", 'debug' );
|
||||
$class->logger->debug("Request for status");
|
||||
my $statusPipe = $class->tsv->{statusPipe};
|
||||
my $statusOut = $class->tsv->{statusOut};
|
||||
return $class->abort("$class: status page can not be displayed")
|
||||
|
@ -90,12 +90,11 @@ sub run {
|
|||
if ( $class->checkMaintenanceMode ) {
|
||||
|
||||
if ( $class->tsv->{useRedirectOnError} ) {
|
||||
$class->lmLog( "Got to portal with maintenance error code",
|
||||
'debug' );
|
||||
$class->logger->debug("Go to portal with maintenance error code");
|
||||
return $class->goToPortal( '/', 'lmError=' . $class->MAINTENANCE );
|
||||
}
|
||||
else {
|
||||
$class->lmLog( "Return maintenance error code", 'debug' );
|
||||
$class->logger->debug("Return maintenance error code");
|
||||
return $class->MAINTENANCE;
|
||||
}
|
||||
}
|
||||
|
@ -107,18 +106,16 @@ sub run {
|
|||
and $uri =~ s/[\?&;]${cn}cda=(\w+)$//oi )
|
||||
{
|
||||
if ( $class->fetchId and $session = $class->retrieveSession($id) ) {
|
||||
$class->lmLog(
|
||||
'CDA asked for an already available session, skipping',
|
||||
'info' );
|
||||
$class->logger->info(
|
||||
'CDA asked for an already available session, skipping');
|
||||
}
|
||||
else {
|
||||
my $cdaid = $1;
|
||||
$class->lmLog( "CDA request with id $cdaid", 'debug' );
|
||||
$class->logger->debug("CDA request with id $cdaid");
|
||||
|
||||
my $cdaInfos = $class->getCDAInfos($cdaid);
|
||||
unless ( $cdaInfos->{cookie_value} and $cdaInfos->{cookie_name} ) {
|
||||
$class->lmLog( "CDA request for id $cdaid is not valid",
|
||||
'error' );
|
||||
$class->logger->error("CDA request for id $cdaid is not valid");
|
||||
return $class->FORBIDDEN;
|
||||
}
|
||||
|
||||
|
@ -151,7 +148,7 @@ sub run {
|
|||
unless ( defined $protection );
|
||||
|
||||
if ( $protection == $class->SKIP ) {
|
||||
$class->lmLog( "Access control skipped", 'debug' );
|
||||
$class->logger->debug("Access control skipped");
|
||||
$class->updateStatus('SKIP');
|
||||
$class->hideCookie;
|
||||
$class->cleanHeaders;
|
||||
|
@ -182,7 +179,7 @@ sub run {
|
|||
|
||||
# Store local macros
|
||||
if ( keys %$session > $kc ) {
|
||||
$class->lmLog( "Update local cache", 'debug' );
|
||||
$class->logger->debug("Update local cache");
|
||||
$class->session->update( $session, { updateCache => 2 } );
|
||||
}
|
||||
|
||||
|
@ -190,12 +187,9 @@ sub run {
|
|||
$class->hideCookie;
|
||||
|
||||
# Log access granted
|
||||
$class->lmLog(
|
||||
"User "
|
||||
$class->logger->debug( "User "
|
||||
. $session->{ $class->tsv->{whatToTrace} }
|
||||
. " was granted to access to $uri",
|
||||
'debug'
|
||||
);
|
||||
. " was granted to access to $uri" );
|
||||
|
||||
# Catch POST rules
|
||||
$class->postOutputFilter( $session, $uri );
|
||||
|
@ -207,7 +201,7 @@ sub run {
|
|||
elsif ( $protection == $class->UNPROTECT ) {
|
||||
|
||||
# Ignore unprotected URIs
|
||||
$class->lmLog( "No valid session but unprotected access", 'debug' );
|
||||
$class->logger->debug("No valid session but unprotected access");
|
||||
$class->updateStatus('UNPROTECT');
|
||||
$class->hideCookie;
|
||||
$class->cleanHeaders;
|
||||
|
@ -217,7 +211,7 @@ sub run {
|
|||
else {
|
||||
|
||||
# Redirect user to the portal
|
||||
$class->lmLog( "No cookie found", 'info' )
|
||||
$class->logger->info("No cookie found")
|
||||
unless ($id);
|
||||
|
||||
# if the cookie was fetched, a log is sent by retrieveSession()
|
||||
|
@ -274,7 +268,7 @@ sub checkMaintenanceMode {
|
|||
: $class->tsv->{maintenance}->{_};
|
||||
|
||||
if ($_maintenance) {
|
||||
$class->lmLog( "Maintenance mode activated", 'debug' );
|
||||
$class->logger->debug("Maintenance mode activated");
|
||||
return 1;
|
||||
}
|
||||
return 0;
|
||||
|
@ -292,23 +286,19 @@ sub grant {
|
|||
$vhost ||= $class->resolveAlias;
|
||||
for ( my $i = 0 ; $i < $class->tsv->{locationCount}->{$vhost} ; $i++ ) {
|
||||
if ( $uri =~ $class->tsv->{locationRegexp}->{$vhost}->[$i] ) {
|
||||
$class->lmLog(
|
||||
'Regexp "'
|
||||
$class->logger->debug( 'Regexp "'
|
||||
. $class->tsv->{locationConditionText}->{$vhost}->[$i]
|
||||
. '" match',
|
||||
'debug'
|
||||
);
|
||||
. '" match' );
|
||||
return $class->tsv->{locationCondition}->{$vhost}->[$i]->($session);
|
||||
}
|
||||
}
|
||||
unless ( $class->tsv->{defaultCondition}->{$vhost} ) {
|
||||
$class->lmLog(
|
||||
"User rejected because VirtualHost \"$vhost\" has no configuration",
|
||||
'warn'
|
||||
$class->logger->warn(
|
||||
"User rejected because VirtualHost \"$vhost\" has no configuration"
|
||||
);
|
||||
return 0;
|
||||
}
|
||||
$class->lmLog( "$vhost: Apply default rule", 'debug' );
|
||||
$class->logger->debug("$vhost: Apply default rule");
|
||||
return $class->tsv->{defaultCondition}->{$vhost}->($session);
|
||||
}
|
||||
|
||||
|
@ -331,21 +321,18 @@ sub forbidden {
|
|||
}
|
||||
|
||||
# Log forbidding
|
||||
$class->lmLog(
|
||||
"User "
|
||||
$class->userLogger->notice( "User "
|
||||
. $session->{ $class->tsv->{whatToTrace} }
|
||||
. " was forbidden to access to $vhost$uri",
|
||||
"notice"
|
||||
);
|
||||
. " was forbidden to access to $vhost$uri" );
|
||||
$class->updateStatus( 'REJECT', $session->{ $class->tsv->{whatToTrace} } );
|
||||
|
||||
# Redirect or Forbidden?
|
||||
if ( $class->tsv->{useRedirectOnForbidden} ) {
|
||||
$class->lmLog( "Use redirect for forbidden access", 'debug' );
|
||||
$class->logger->debug("Use redirect for forbidden access");
|
||||
return $class->goToPortal( $uri, 'lmError=403' );
|
||||
}
|
||||
else {
|
||||
$class->lmLog( "Return forbidden access", 'debug' );
|
||||
$class->logger->debug("Return forbidden access");
|
||||
return $class->FORBIDDEN;
|
||||
}
|
||||
}
|
||||
|
@ -354,7 +341,7 @@ sub forbidden {
|
|||
# Hide Lemonldap::NG cookie to the protected application.
|
||||
sub hideCookie {
|
||||
my $class = shift;
|
||||
$class->lmLog( "removing cookie", 'debug' );
|
||||
$class->logger->debug("removing cookie");
|
||||
my $cookie = $class->header_in('Cookie');
|
||||
my $cn = $class->tsv->{cookieName};
|
||||
$cookie =~ s/$cn(http)?=[^,;]*[,;\s]*//og;
|
||||
|
@ -384,9 +371,8 @@ sub goToPortal {
|
|||
my ( $class, $url, $arg ) = @_;
|
||||
my ( $ret, $msg );
|
||||
my $urlc_init = $class->encodeUrl($url);
|
||||
$class->lmLog(
|
||||
"Redirect " . $class->remote_ip . " to portal (url was $url)",
|
||||
'debug' );
|
||||
$class->logger->debug(
|
||||
"Redirect " . $class->remote_ip . " to portal (url was $url)" );
|
||||
$class->set_header_out( 'Location' => $class->tsv->{portal}->()
|
||||
. "?url=$urlc_init"
|
||||
. ( $arg ? "&$arg" : "" ) );
|
||||
|
@ -418,8 +404,8 @@ sub fetchId {
|
|||
elsif ( $value =~ s/^c:// ) {
|
||||
$value = $class->tsv->{cipher}->decrypt($value);
|
||||
unless ( $value =~ s/^(.*)? (.*)$/$1/ and $2 eq $vhost ) {
|
||||
$class->lmLog( "Bad CDA cookie: available for $2 instead od $vhost",
|
||||
'error' );
|
||||
$class->userLogger->error(
|
||||
"Bad CDA cookie: available for $2 instead od $vhost");
|
||||
return undef;
|
||||
}
|
||||
}
|
||||
|
@ -439,7 +425,7 @@ sub retrieveSession {
|
|||
and $id eq $class->datas->{_session_id}
|
||||
and ( $now - $class->datasUpdate < 60 ) )
|
||||
{
|
||||
$class->lmLog( "Get session $id from Handler internal cache", 'debug' );
|
||||
$class->logger->debug("Get session $id from Handler internal cache");
|
||||
return $class->datas;
|
||||
}
|
||||
|
||||
|
@ -461,7 +447,7 @@ sub retrieveSession {
|
|||
|
||||
$class->datas( $session->data );
|
||||
|
||||
$class->lmLog( "Get session $id", 'debug' );
|
||||
$class->logger->debug("Get session $id");
|
||||
|
||||
# Verify that session is valid
|
||||
if (
|
||||
|
@ -472,7 +458,7 @@ sub retrieveSession {
|
|||
$class->tsv->{timeoutActivity} )
|
||||
)
|
||||
{
|
||||
$class->lmLog( "Session $id expired", 'info' );
|
||||
$class->logger->info("Session $id expired");
|
||||
|
||||
# Clean cached data
|
||||
$class->datas( {} );
|
||||
|
@ -489,11 +475,11 @@ sub retrieveSession {
|
|||
$class->session->update( { '_lastSeen' => $now } );
|
||||
|
||||
if ( $session->error ) {
|
||||
$class->lmLog( "Cannot update session $id", 'error' );
|
||||
$class->lmLog( $class->session->error, 'error' );
|
||||
$class->logger->error("Cannot update session $id");
|
||||
$class->logger->error( $class->session->error );
|
||||
}
|
||||
else {
|
||||
$class->lmLog( "Update _lastSeen with $now", 'debug' );
|
||||
$class->logger->debug("Update _lastSeen with $now");
|
||||
}
|
||||
}
|
||||
|
||||
|
@ -501,8 +487,8 @@ sub retrieveSession {
|
|||
return $session->data;
|
||||
}
|
||||
else {
|
||||
$class->lmLog( "Session $id can't be retrieved", 'info' );
|
||||
$class->lmLog( $session->error, 'info' );
|
||||
$class->logger->info("Session $id can't be retrieved");
|
||||
$class->logger->info( $session->error );
|
||||
|
||||
return 0;
|
||||
}
|
||||
|
@ -528,7 +514,7 @@ sub getCDAInfos {
|
|||
);
|
||||
|
||||
unless ( $cdaSession->error ) {
|
||||
$class->lmLog( "Get CDA session $id", 'debug' );
|
||||
$class->logger->debug("Get CDA session $id");
|
||||
|
||||
$infos->{cookie_value} = $cdaSession->data->{cookie_value};
|
||||
$infos->{cookie_name} = $cdaSession->data->{cookie_name};
|
||||
|
@ -536,8 +522,8 @@ sub getCDAInfos {
|
|||
$cdaSession->remove;
|
||||
}
|
||||
else {
|
||||
$class->lmLog( "CDA Session $id can't be retrieved", 'info' );
|
||||
$class->lmLog( $cdaSession->error, 'info' );
|
||||
$class->logger->info("CDA Session $id can't be retrieved");
|
||||
$class->logger->info( $cdaSession->error );
|
||||
}
|
||||
|
||||
return $infos;
|
||||
|
@ -564,7 +550,7 @@ sub _buildUrl {
|
|||
or ( !$_https && $portString == 80 )
|
||||
) ? '' : ":$portString";
|
||||
my $url = "http" . ( $_https ? "s" : "" ) . "://$vhost$portString$s";
|
||||
$class->lmLog( "Build URL $url", 'debug' );
|
||||
$class->logger->debug("Build URL $url");
|
||||
return $url;
|
||||
}
|
||||
|
||||
|
@ -595,10 +581,10 @@ sub sendHeaders {
|
|||
my %headers = $class->tsv->{forgeHeaders}->{$vhost}->($session);
|
||||
foreach my $h ( sort keys %headers ) {
|
||||
if ( defined( my $v = $headers{$h} ) ) {
|
||||
$class->lmLog( "Send header $h with value $v", 'debug' );
|
||||
$class->logger->debug("Send header $h with value $v");
|
||||
}
|
||||
else {
|
||||
$class->lmLog( "Send header $h with empty value", 'debug' );
|
||||
$class->logger->debug("Send header $h with empty value");
|
||||
}
|
||||
}
|
||||
$class->set_header_in(%headers);
|
||||
|
@ -637,11 +623,11 @@ sub abort {
|
|||
eval {
|
||||
my $uri = $class->unparsed_uri;
|
||||
|
||||
$class->lmLog( $msg, 'error' );
|
||||
$class->logger->error($msg);
|
||||
|
||||
# Redirect or die
|
||||
if ( $class->tsv->{useRedirectOnError} ) {
|
||||
$class->lmLog( "Use redirect for error", 'debug' );
|
||||
$class->logger->debug("Use redirect for error");
|
||||
return $class->goToPortal( $uri, 'lmError=500' );
|
||||
}
|
||||
else {
|
||||
|
@ -655,7 +641,7 @@ sub abort {
|
|||
# Delete current user from local cache entry.
|
||||
sub localUnlog {
|
||||
my ( $class, $id ) = @_;
|
||||
$class->lmLog( 'Local handler logout', 'debug' );
|
||||
$class->logger->debug('Local handler logout');
|
||||
if ( $id //= $class->fetchId ) {
|
||||
|
||||
# Delete thread datas
|
||||
|
@ -682,7 +668,7 @@ sub postOutputFilter {
|
|||
my $vhost = $class->resolveAlias;
|
||||
|
||||
if ( defined( $class->tsv->{outputPostData}->{$vhost}->{$uri} ) ) {
|
||||
$class->lmLog( "Filling a html form with fake data", "debug" );
|
||||
$class->logger->debug("Filling a html form with fake data");
|
||||
|
||||
$class->unset_header_in("Accept-Encoding");
|
||||
my %postdata =
|
||||
|
@ -701,7 +687,7 @@ sub postInputFilter {
|
|||
my $vhost = $class->resolveAlias;
|
||||
|
||||
if ( defined( $class->tsv->{inputPostData}->{$vhost}->{$uri} ) ) {
|
||||
$class->lmLog( "Replacing fake data with real form data", "debug" );
|
||||
$class->logger->debug("Replacing fake data with real form data");
|
||||
|
||||
my %data = $class->tsv->{inputPostData}->{$vhost}->{$uri}->($session);
|
||||
foreach ( keys %data ) {
|
||||
|
|
|
@ -9,10 +9,10 @@ extends 'Lemonldap::NG::Handler::Lib::PSGI', 'Lemonldap::NG::Common::PSGI';
|
|||
our $VERSION = '2.0.0';
|
||||
|
||||
sub init {
|
||||
my ($self,$args)=@_;
|
||||
my ( $self, $args ) = @_;
|
||||
$self->api('Lemonldap::NG::Handler::PSGI::Main') unless ( $self->api );
|
||||
my $tmp = ( $self->Lemonldap::NG::Common::PSGI::init( $args )
|
||||
and $self->Lemonldap::NG::Handler::Lib::PSGI::init( $args ) );
|
||||
my $tmp = ( $self->Lemonldap::NG::Common::PSGI::init($args)
|
||||
and $self->Lemonldap::NG::Handler::Lib::PSGI::init($args) );
|
||||
return $tmp;
|
||||
}
|
||||
|
||||
|
|
|
@ -14,7 +14,7 @@ use constant DONE => 0;
|
|||
use constant SERVER_ERROR => 500;
|
||||
use constant AUTH_REQUIRED => 401;
|
||||
use constant MAINTENANCE => 503;
|
||||
use constant defaultLogger => 'Lemonldap::NG::Common::Logger::Std';
|
||||
use constant defaultLogger => 'Lemonldap::NG::Common::Logger::Std';
|
||||
|
||||
our $request;
|
||||
|
||||
|
@ -179,9 +179,8 @@ sub cgiName {
|
|||
|
||||
sub addToHtmlHead {
|
||||
my $self = shift;
|
||||
$self->lmLog(
|
||||
'Features like form replay or logout_app can only be used with Apache',
|
||||
'error'
|
||||
$self->logger->error(
|
||||
'Features like form replay or logout_app can only be used with Apache'
|
||||
),
|
||||
;
|
||||
}
|
||||
|
|
|
@ -24,14 +24,14 @@ sub addRoute {
|
|||
sub addAuthRoute {
|
||||
my $self = shift;
|
||||
$self->routes( $self->authRoutes );
|
||||
$self->lmLog( 'Declaring auth route', 'debug' );
|
||||
$self->logger->debug('Declaring auth route');
|
||||
return $self->SUPER::addRoute(@_);
|
||||
}
|
||||
|
||||
sub addUnauthRoute {
|
||||
my $self = shift;
|
||||
$self->routes( $self->unAuthRoutes );
|
||||
$self->lmLog( 'Declaring unauth route', 'debug' );
|
||||
$self->logger->debug('Declaring unauth route');
|
||||
return $self->SUPER::addRoute(@_);
|
||||
}
|
||||
|
||||
|
@ -60,9 +60,8 @@ sub _run {
|
|||
}
|
||||
else {
|
||||
# Unset headers (handler adds a Location header)
|
||||
$self->lmLog(
|
||||
"User not authenticated, Try in use, cancel redirection",
|
||||
'debug' );
|
||||
$self->logger->debug(
|
||||
"User not authenticated, Try in use, cancel redirection");
|
||||
$req->userData( {} );
|
||||
$req->respHeaders( [] );
|
||||
$self->routes( $self->unAuthRoutes );
|
||||
|
|
|
@ -28,7 +28,7 @@ sub _run {
|
|||
my $self = shift;
|
||||
return sub {
|
||||
my $req = $_[0];
|
||||
$self->lmLog( 'New request', 'debug' );
|
||||
$self->logger->debug('New request');
|
||||
my $res = $self->_authAndTrace(
|
||||
Lemonldap::NG::Common::PSGI::Request->new($req) );
|
||||
|
||||
|
|
|
@ -55,7 +55,7 @@ my $h = 'Lemonldap::NG::Handler::Test';
|
|||
|
||||
ok( $h->init(), 'Initialize handler' );
|
||||
|
||||
ok( $h->checkType($apacheRequest) eq 'Main', 'Get Main type');
|
||||
ok( $h->checkType($apacheRequest) eq 'Main', 'Get Main type' );
|
||||
|
||||
ok( $ret = $h->run($apacheRequest),
|
||||
'run Handler with basic configuration and no cookie' );
|
||||
|
|
|
@ -31,22 +31,28 @@ ok( ( defined($basic) ), 'basic extended function is defined' );
|
|||
|
||||
$sub = "sub { return ( encode_base64('test','') ) }";
|
||||
my $code = $jail->jail_reval($sub);
|
||||
ok( ( defined($code) and ref($code) eq 'CODE' ),
|
||||
'encode_base64 function is defined' );
|
||||
ok(
|
||||
( defined($code) and ref($code) eq 'CODE' ),
|
||||
'encode_base64 function is defined'
|
||||
);
|
||||
ok( $res = &$code, "Function works" );
|
||||
ok( $res eq 'dGVzdA==', 'Get good result' );
|
||||
|
||||
$sub = "sub { return(checkDate('20000000000000','21000000000000')) }";
|
||||
$sub = "sub { return(checkDate('20000000000000','21000000000000')) }";
|
||||
$code = $jail->jail_reval($sub);
|
||||
ok( ( defined($code) and ref($code) eq 'CODE' ),
|
||||
'checkDate extended function is defined' );
|
||||
ok(
|
||||
( defined($code) and ref($code) eq 'CODE' ),
|
||||
'checkDate extended function is defined'
|
||||
);
|
||||
ok( $res = &$code, "Function works" );
|
||||
ok( $res == 1, 'Get good result' );
|
||||
|
||||
$sub = "sub { return (hostname()) }";
|
||||
$sub = "sub { return (hostname()) }";
|
||||
$code = $jail->jail_reval($sub);
|
||||
ok( ( defined($code) and ref($code) eq 'CODE' ),
|
||||
'hostname api function is defined' );
|
||||
ok(
|
||||
( defined($code) and ref($code) eq 'CODE' ),
|
||||
'hostname api function is defined'
|
||||
);
|
||||
ok( $res = &$code, "Function works $res" );
|
||||
ok( $res eq 'test1.example.com', 'Get good result' );
|
||||
|
||||
|
|
|
@ -64,7 +64,7 @@ count(3);
|
|||
|
||||
# Pad path test
|
||||
|
||||
ok($res = $client->_get('/[]/test'), 'Try a bad path');
|
||||
ok( $res = $client->_get('/[]/test'), 'Try a bad path' );
|
||||
ok( $res->[0] == 400, 'Response is 400' );
|
||||
count(2);
|
||||
|
||||
|
|
|
@ -1,6 +1,6 @@
|
|||
package main;
|
||||
|
||||
sub hostname { 'test1.example.com' };
|
||||
sub hostname { 'test1.example.com' }
|
||||
|
||||
package Lemonldap::NG::Handler::Test;
|
||||
|
||||
|
@ -11,9 +11,10 @@ our $header;
|
|||
use constant defaultLogger => 'Lemonldap::NG::Common::Logger::Std';
|
||||
|
||||
use constant REDIRECT => 302;
|
||||
|
||||
#sub hostname { 'test1.example.com' }
|
||||
*hostname = \&main::hostname;
|
||||
*logger = \&Lemonldap::NG::Handler::Main::logger;
|
||||
*logger = \&Lemonldap::NG::Handler::Main::logger;
|
||||
sub newRequest { 1 }
|
||||
sub header_in { "" }
|
||||
sub is_initial_req { '1' }
|
||||
|
|
|
@ -33,7 +33,7 @@ sub init {
|
|||
|
||||
if ( my $localconf = $self->confAcc->getLocalConf(MANAGERSECTION) ) {
|
||||
$self->{$_} = $args->{$_} //= $localconf->{$_}
|
||||
foreach ( grep {$_ !~ /^(?:l|userL)ogger$/} keys %$localconf );
|
||||
foreach ( grep { $_ !~ /^(?:l|userL)ogger$/ } keys %$localconf );
|
||||
}
|
||||
|
||||
# Manager needs to keep new Ajax behaviour
|
||||
|
@ -59,14 +59,14 @@ sub init {
|
|||
for ( my $i = 0 ; $i < @enabledModules ; $i++ ) {
|
||||
my $mod = $enabledModules[$i];
|
||||
no strict 'refs';
|
||||
if ( &{"${mod}::addRoutes"}($self,$conf) ) {
|
||||
$self->lmLog( "Module $mod enabled", 'debug' );
|
||||
if ( &{"${mod}::addRoutes"}( $self, $conf ) ) {
|
||||
$self->logger->debug("Module $mod enabled");
|
||||
push @working, $mod;
|
||||
}
|
||||
else {
|
||||
$links[$i] = undef;
|
||||
$self->lmLog( "Module $mod can not be enabled: " . $self->error,
|
||||
'error' );
|
||||
$self->logger->error(
|
||||
"Module $mod can not be enabled: " . $self->error );
|
||||
}
|
||||
}
|
||||
return 0 unless (@working);
|
||||
|
@ -114,9 +114,11 @@ sub javascript {
|
|||
return
|
||||
'var formPrefix=staticPrefix+"forms/";var confPrefix=scriptname+"confs/";'
|
||||
. ( $self->links ? 'var links=' . to_json( $self->links ) . ';' : '' )
|
||||
. ( $self->menuLinks
|
||||
. (
|
||||
$self->menuLinks
|
||||
? 'var menulinks=' . to_json( $self->menuLinks ) . ';'
|
||||
: '' );
|
||||
: ''
|
||||
);
|
||||
}
|
||||
|
||||
1;
|
||||
|
|
|
@ -25,7 +25,8 @@ sub cTrees {
|
|||
help => 'configvhost.html#options',
|
||||
nodes => [
|
||||
'vhostPort', 'vhostHttps',
|
||||
'vhostMaintenance', 'vhostAliases', 'vhostType',
|
||||
'vhostMaintenance', 'vhostAliases',
|
||||
'vhostType',
|
||||
],
|
||||
},
|
||||
],
|
||||
|
|
|
@ -252,8 +252,7 @@ sub tree {
|
|||
{
|
||||
title => 'combinationParams',
|
||||
help => 'authcombination.html',
|
||||
nodes =>
|
||||
[ 'combination', 'combModules' ]
|
||||
nodes => [ 'combination', 'combModules' ]
|
||||
},
|
||||
{
|
||||
title => 'nullParams',
|
||||
|
@ -439,9 +438,8 @@ sub tree {
|
|||
title => 'logParams',
|
||||
help => 'logs.html',
|
||||
form => 'simpleInputContainer',
|
||||
nodes => [
|
||||
'trustedProxies', 'whatToTrace', 'hiddenAttributes'
|
||||
]
|
||||
nodes =>
|
||||
[ 'trustedProxies', 'whatToTrace', 'hiddenAttributes' ]
|
||||
},
|
||||
{
|
||||
title => 'cookieParams',
|
||||
|
|
|
@ -27,7 +27,7 @@ our $VERSION = '2.0.0';
|
|||
use constant defaultRoute => 'manager.html';
|
||||
|
||||
sub addRoutes {
|
||||
my($self,$conf) = @_;
|
||||
my ( $self, $conf ) = @_;
|
||||
|
||||
# HTML template
|
||||
$self->addRoute( 'manager.html', undef, ['GET'] )
|
||||
|
@ -167,7 +167,7 @@ sub getConfByNum {
|
|||
}
|
||||
else {
|
||||
$tmp = $self->SUPER::getConfByNum( $cfgNum, @args );
|
||||
return undef unless (defined $tmp);
|
||||
return undef unless ( defined $tmp );
|
||||
}
|
||||
}
|
||||
return $cfgNum;
|
||||
|
|
|
@ -232,8 +232,8 @@ sub notification {
|
|||
my ( $uid, $ref ) = ( $id =~ /([^_]+?)_(.+)/ );
|
||||
my $n = $self->notifAccess->get( $uid, $ref );
|
||||
unless ($n) {
|
||||
$self->lmLog( "Notification $ref not found for user $uid",
|
||||
'notice' );
|
||||
$self->userLogger->notice(
|
||||
"Notification $ref not found for user $uid");
|
||||
return $self->sendJSONresponse(
|
||||
$req,
|
||||
{
|
||||
|
@ -291,14 +291,14 @@ sub newNotification {
|
|||
delete $json->{xml};
|
||||
};
|
||||
if ($@) {
|
||||
$self->lmLog( "Notification malformed $@", 'error' );
|
||||
$self->logger->error("Notification malformed $@");
|
||||
return $self->sendError( $req, "Notification malformed: $@", 200 );
|
||||
}
|
||||
$newNotif = to_json($json);
|
||||
}
|
||||
|
||||
unless ( eval { $self->notifAccess->newNotification($newNotif) } ) {
|
||||
$self->lmLog( "Notification not created: $@", 'error' );
|
||||
$self->logger->error("Notification not created: $@");
|
||||
return $self->sendError( $req, "Notification not created: $@", 200 );
|
||||
}
|
||||
else {
|
||||
|
@ -323,7 +323,7 @@ sub updateNotification {
|
|||
my ( $uid, $ref ) = ( $id =~ /([^_]+?)_(.+)/ );
|
||||
my ( $n, $res );
|
||||
unless ( $n = $self->notifAccess->get( $uid, $ref ) ) {
|
||||
$self->lmLog( "Notification $ref not found for user $uid", 'notice' );
|
||||
$self->logger->notice("Notification $ref not found for user $uid");
|
||||
return $self->sendError( $req,
|
||||
"Notification $ref not found for user $uid" );
|
||||
}
|
||||
|
@ -335,13 +335,13 @@ sub updateNotification {
|
|||
}
|
||||
|
||||
unless ($status) {
|
||||
$self->lmLog( "Notification $ref for user $uid not deleted", 'error' );
|
||||
$self->logger->error("Notification $ref for user $uid not deleted");
|
||||
return $self->sendError( $req,
|
||||
"Notification $ref for user $uid not deleted" );
|
||||
}
|
||||
|
||||
else {
|
||||
$self->lmLog( "Notification $ref deleted for user $uid", 'info' );
|
||||
$self->logger->info("Notification $ref deleted for user $uid");
|
||||
return $self->sendJSONresponse( $req, { result => 1 } );
|
||||
}
|
||||
}
|
||||
|
@ -355,12 +355,12 @@ sub deleteDoneNotification {
|
|||
my ( $uid, $ref, $date ) = ( $id =~ /([^_]+?)_([^_]+?)_(.+)/ );
|
||||
my $identifier = $self->notifAccess->getIdentifier( $uid, $ref, $date );
|
||||
unless ( eval { $self->notifAccess->purge($identifier) } ) {
|
||||
$self->lmLog( "Notification $identifier not purged ($@)", 'warn' );
|
||||
$self->logger->warn("Notification $identifier not purged ($@)");
|
||||
return $self->sendError( $req,
|
||||
"Notification $identifier not purged ($@)", 400 );
|
||||
}
|
||||
|
||||
$self->lmLog( "Notification $identifier purged", 'info' );
|
||||
$self->logger->info("Notification $identifier purged");
|
||||
return $self->sendJSONresponse( $req, { result => 1 } );
|
||||
}
|
||||
|
||||
|
|
|
@ -25,7 +25,7 @@ our $VERSION = '2.0.0';
|
|||
use constant defaultRoute => 'sessions.html';
|
||||
|
||||
sub addRoutes {
|
||||
my($self,$conf) = @_;
|
||||
my ( $self, $conf ) = @_;
|
||||
|
||||
# HTML template
|
||||
$self->addRoute( 'sessions.html', undef, ['GET'] )
|
||||
|
|
|
@ -24,12 +24,17 @@ ok( $resBody = from_json( $res->[2]->[0] ), "Result body contains JSON text" );
|
|||
ok( $resBody->{result} == 1, "JSON response contains \"result:1\"" )
|
||||
or print STDERR Dumper($res);
|
||||
|
||||
ok( $res = &client->_get( '/confs/2/combModules', 'application/json' ), 'Get combModules');
|
||||
ok( $res = &client->_get( '/confs/2/combModules', 'application/json' ),
|
||||
'Get combModules' );
|
||||
ok( $resBody = from_json( $res->[2]->[0] ), "Result body contains JSON text" );
|
||||
|
||||
ok( $res = &client->_get( '/confs/2/ldapServer', 'application/json' ), 'Get combModules');
|
||||
ok( $res = &client->_get( '/confs/2/ldapServer', 'application/json' ),
|
||||
'Get combModules' );
|
||||
ok( $resBody = from_json( $res->[2]->[0] ), "Result body contains JSON text" );
|
||||
ok( $resBody->{value} eq 'ldap://192.168.1.1', 'Key ldapServer has been modified');
|
||||
ok(
|
||||
$resBody->{value} eq 'ldap://192.168.1.1',
|
||||
'Key ldapServer has been modified'
|
||||
);
|
||||
|
||||
count(9);
|
||||
|
||||
|
|
|
@ -7,8 +7,6 @@ example/soaperrortest.pl
|
|||
example/soaptest.pl
|
||||
KINEMATIC.md
|
||||
lib/Lemonldap/NG/Portal.pm
|
||||
lib/Lemonldap/NG/Portal/_i18n.pm
|
||||
lib/Lemonldap/NG/Portal/_Multi.pm
|
||||
lib/Lemonldap/NG/Portal/Auth/_WebForm.pm
|
||||
lib/Lemonldap/NG/Portal/Auth/AD.pm
|
||||
lib/Lemonldap/NG/Portal/Auth/Apache.pm
|
||||
|
@ -34,7 +32,6 @@ lib/Lemonldap/NG/Portal/Auth/WebID.pm
|
|||
lib/Lemonldap/NG/Portal/Auth/Yubikey.pm
|
||||
lib/Lemonldap/NG/Portal/AuthMulti.pm
|
||||
lib/Lemonldap/NG/Portal/CDC.pm
|
||||
lib/Lemonldap/NG/Portal/Display.pm
|
||||
lib/Lemonldap/NG/Portal/Issuer/CAS.pm
|
||||
lib/Lemonldap/NG/Portal/Issuer/Get.pm
|
||||
lib/Lemonldap/NG/Portal/Issuer/OpenID.pm
|
||||
|
@ -71,7 +68,6 @@ lib/Lemonldap/NG/Portal/Main/Plugins.pm
|
|||
lib/Lemonldap/NG/Portal/Main/Process.pm
|
||||
lib/Lemonldap/NG/Portal/Main/Request.pm
|
||||
lib/Lemonldap/NG/Portal/Main/Run.pm
|
||||
lib/Lemonldap/NG/Portal/Menu.pm
|
||||
lib/Lemonldap/NG/Portal/Password/Base.pm
|
||||
lib/Lemonldap/NG/Portal/Password/Choice.pm
|
||||
lib/Lemonldap/NG/Portal/Password/DBI.pm
|
||||
|
@ -90,7 +86,6 @@ lib/Lemonldap/NG/Portal/Register/AD.pm
|
|||
lib/Lemonldap/NG/Portal/Register/Demo.pm
|
||||
lib/Lemonldap/NG/Portal/Register/LDAP.pm
|
||||
lib/Lemonldap/NG/Portal/Register/U2F.pm
|
||||
lib/Lemonldap/NG/Portal/Simple.pm
|
||||
lib/Lemonldap/NG/Portal/UserDB/AD.pm
|
||||
lib/Lemonldap/NG/Portal/UserDB/Choice.pm
|
||||
lib/Lemonldap/NG/Portal/UserDB/Combination.pm
|
||||
|
|
|
@ -11,8 +11,7 @@ use SOAP::Lite;
|
|||
use Data::Dumper;
|
||||
|
||||
# Service
|
||||
my $soap =
|
||||
SOAP::Lite->new( proxy => 'http://auth.example.com/config' );
|
||||
my $soap = SOAP::Lite->new( proxy => 'http://auth.example.com/config' );
|
||||
$soap->default_ns('urn:Lemonldap/NG/Common/CGI/SOAPService');
|
||||
|
||||
# Call SOAP methods
|
||||
|
|
|
@ -14,8 +14,7 @@ use Data::Dumper;
|
|||
my $session_id = shift @ARGV;
|
||||
|
||||
# Service
|
||||
my $soap =
|
||||
SOAP::Lite->new( proxy => 'http://auth.example.com/sessions' );
|
||||
my $soap = SOAP::Lite->new( proxy => 'http://auth.example.com/sessions' );
|
||||
$soap->default_ns('urn:Lemonldap/NG/Common/CGI/SOAPService');
|
||||
|
||||
# Call some SOAP methods
|
||||
|
|
|
@ -108,7 +108,9 @@ portal main object. Some main methods are mapped to the plugin namespace:
|
|||
|
||||
=over
|
||||
|
||||
=item lmLog()
|
||||
=item logger() accessor to log
|
||||
|
||||
=item userLogger() accessor to log user actions
|
||||
|
||||
=item error() accessor (use it to store error during initialization)
|
||||
|
||||
|
|
|
@ -51,9 +51,9 @@ sub init {
|
|||
|
||||
if ( $self->adPwdExpireWarning > $self->adPwdMaxAge ) {
|
||||
$self->adPwdExpireWarning( $self->adPwdMaxAge );
|
||||
$self->lmLog(
|
||||
$self->logger->warn(
|
||||
"Error: ADPwdExpireWarning > ADPwdMaxAge, this should not happen",
|
||||
'warn' );
|
||||
);
|
||||
}
|
||||
return $self->SUPER::init();
|
||||
}
|
||||
|
@ -73,14 +73,14 @@ sub authenticate {
|
|||
my $expired_flag =
|
||||
0x800000; # 8 at 6th position for flag UF_PASSWORD_EXPIRED to be set
|
||||
if ( ( $computed & $mask ) == $expired_flag ) {
|
||||
$self->lmLog( "[AD] Password has expired", 'warn' );
|
||||
$self->logger->warn("[AD] Password has expired");
|
||||
$res = PE_PP_PASSWORD_EXPIRED;
|
||||
}
|
||||
|
||||
# Password must be changed if pwdLastSet 0
|
||||
if ( defined $pls and $pls == 0 ) {
|
||||
$self->lmLog( "[AD] Password reset. User must change his password",
|
||||
'warn' );
|
||||
$self->userLogger->warn(
|
||||
"[AD] Password reset. User must change his password");
|
||||
$res = PE_PP_CHANGE_AFTER_RESET;
|
||||
}
|
||||
|
||||
|
|
|
@ -19,8 +19,7 @@ sub init {
|
|||
sub extractFormInfo {
|
||||
my ( $self, $req ) = @_;
|
||||
unless ( $req->{user} = $req->env->{REMOTE_USER} ) {
|
||||
$self->lmLog( 'Apache is not configured to authenticate users!',
|
||||
'error' );
|
||||
$self->logger->error('Apache is not configured to authenticate users!');
|
||||
return PE_ERROR;
|
||||
}
|
||||
|
||||
|
|
|
@ -78,7 +78,9 @@ Lemonldap::NG portal. They must provides methods described below.
|
|||
|
||||
=item conf: configuration hash (as reference)
|
||||
|
||||
=item lmLog: alias for p->lmLog method
|
||||
=item logger alias for p->logger accessor
|
||||
|
||||
=item userLogger alias for p->userLogger accessor
|
||||
|
||||
=item error: alias for p->error method
|
||||
|
||||
|
@ -147,6 +149,35 @@ Last method called during authentication process.
|
|||
|
||||
=head4 authLogout($req)
|
||||
|
||||
=head1 LOGGING
|
||||
|
||||
Logging is provided by $self->logger and $self->userLogger. The following rules
|
||||
must be applied:
|
||||
|
||||
=over
|
||||
|
||||
=item logger->debug: technical debugging messages
|
||||
|
||||
=item logger->info: simple technical information
|
||||
|
||||
=item logger->notice: technical information that could interest administrators
|
||||
|
||||
=item logger->warn: technical warning
|
||||
|
||||
=item logger->error: error that must be reported to administrator
|
||||
|
||||
=item userLogger->info: simple information about user's action
|
||||
|
||||
=item userLogger->notice: information that may be registered (auth success,...)
|
||||
|
||||
=item userLogger->warn: bad action of a user (auth failure). Auth/Combination
|
||||
transform it to "info" when another authentication scheme is available
|
||||
|
||||
=item userLogger->error: bad action of a user that must be reported, (even if
|
||||
another backend is available with Combination)
|
||||
|
||||
=back
|
||||
|
||||
=head1 AUTHORS
|
||||
|
||||
=over
|
||||
|
|
|
@ -72,7 +72,7 @@ sub extractFormInfo {
|
|||
and %{ $req->{portalHiddenFormValues} } )
|
||||
{
|
||||
|
||||
$self->lmLog( "Add hidden values to CAS redirect URL\n", 'debug' );
|
||||
$self->logger->debug("Add hidden values to CAS redirect URL\n");
|
||||
|
||||
foreach ( keys %{ $req->{portalHiddenFormValues} } ) {
|
||||
$local_url .=
|
||||
|
@ -83,7 +83,7 @@ sub extractFormInfo {
|
|||
}
|
||||
|
||||
if ( $self->proxy ) {
|
||||
$self->lmLog( "CAS: Proxy mode activated", 'debug' );
|
||||
$self->logger->debug("CAS: Proxy mode activated");
|
||||
my $proxy_url = $self->p->fullUrl($req) . '?casProxy=1';
|
||||
|
||||
if ( $self->conf->{authChoiceParam}
|
||||
|
@ -92,7 +92,7 @@ sub extractFormInfo {
|
|||
$proxy_url .= '&' . $self->conf->{authChoiceParam} . "=$tmp";
|
||||
}
|
||||
|
||||
$self->lmLog( "CAS Proxy URL: $proxy_url", 'debug' );
|
||||
$self->logger->debug("CAS Proxy URL: $proxy_url");
|
||||
|
||||
$self->cas->proxyMode(
|
||||
pgtFile => $self->conf->{CAS_pgtFile},
|
||||
|
@ -102,7 +102,7 @@ sub extractFormInfo {
|
|||
|
||||
# Catch proxy callback
|
||||
if ( $req->param('casProxy') ) {
|
||||
$self->lmLog( "CAS: Proxy callback detected", 'debug' );
|
||||
$self->logger->debug("CAS: Proxy callback detected");
|
||||
|
||||
my $pgtIou = $req->param('pgtIou');
|
||||
my $pgtId = $req->param('pgtId');
|
||||
|
@ -111,11 +111,11 @@ sub extractFormInfo {
|
|||
|
||||
# Store pgtId and pgtIou
|
||||
unless ( $self->cas->storePGT( $pgtIou, $pgtId ) ) {
|
||||
$self->lmLog( "CAS: error " . &AuthCAS::get_errors(), 'error' );
|
||||
$self->logger->error( "CAS: error " . &AuthCAS::get_errors() );
|
||||
}
|
||||
else {
|
||||
$self->lmLog( "CAS: Store pgtIou $pgtIou and pgtId $pgtId",
|
||||
'debug' );
|
||||
$self->logger->debug(
|
||||
"CAS: Store pgtIou $pgtIou and pgtId $pgtId");
|
||||
}
|
||||
}
|
||||
|
||||
|
@ -134,21 +134,21 @@ sub extractFormInfo {
|
|||
|
||||
# Unless a ticket has been found, we redirect the user
|
||||
unless ($ticket) {
|
||||
$self->lmLog( "CAS: Redirect user to $login_url", 'debug' );
|
||||
$self->logger->debug("CAS: Redirect user to $login_url");
|
||||
$req->{urldc} = $login_url;
|
||||
$req->steps( [] );
|
||||
return PE_REDIRECT;
|
||||
}
|
||||
|
||||
$self->lmLog( "CAS: Service Ticket received: $ticket", 'debug' );
|
||||
$self->logger->debug("CAS: Service Ticket received: $ticket");
|
||||
|
||||
# Ticket found, try to validate it
|
||||
unless ( $req->{user} = $self->cas->validateST( $local_url, $ticket ) ) {
|
||||
$self->lmLog( "CAS: error " . &AuthCAS::get_errors(), 'error' );
|
||||
$self->logger->error( "CAS: error " . &AuthCAS::get_errors() );
|
||||
return PE_ERROR;
|
||||
}
|
||||
else {
|
||||
$self->lmLog( "CAS: User $req->{user} found", 'debug' );
|
||||
$self->logger->debug("CAS: User $req->{user} found");
|
||||
}
|
||||
|
||||
# Request proxy tickets for proxied services
|
||||
|
@ -158,8 +158,8 @@ sub extractFormInfo {
|
|||
my $pgtId = $self->cas->{pgtId};
|
||||
|
||||
unless ($pgtId) {
|
||||
$self->lmLog( "CAS: Proxy mode activated, but no PGT received",
|
||||
'error' );
|
||||
$self->logger->error(
|
||||
"CAS: Proxy mode activated, but no PGT received");
|
||||
return PE_ERROR;
|
||||
}
|
||||
|
||||
|
@ -169,14 +169,13 @@ sub extractFormInfo {
|
|||
my $pt = $self->cas->retrievePT($service);
|
||||
|
||||
unless ($pt) {
|
||||
$self->lmLog(
|
||||
"CAS: No proxy ticket recevied for service $service",
|
||||
'error' );
|
||||
$self->logger->error(
|
||||
"CAS: No proxy ticket recevied for service $service");
|
||||
return PE_ERROR;
|
||||
}
|
||||
|
||||
$self->lmLog( "CAS: Received proxy ticket $pt for service $service",
|
||||
'debug' );
|
||||
$self->logger->debug(
|
||||
"CAS: Received proxy ticket $pt for service $service");
|
||||
|
||||
# Store it in session
|
||||
$req->{sessionInfo}->{ '_casPT' . $_ } = $pt;
|
||||
|
@ -205,7 +204,7 @@ sub authLogout {
|
|||
my $logout_url =
|
||||
$self->cas->getServerLogoutURL( uri_escape( $self->p->fullUrl($req) ) );
|
||||
|
||||
$self->lmLog( "Build CAS logout URL: $logout_url", 'debug' );
|
||||
$self->logger->debug("Build CAS logout URL: $logout_url");
|
||||
|
||||
# Register CAS logout URL in logoutServices
|
||||
$req->datas->{logoutServices}->{CASserver} = $logout_url;
|
||||
|
|
|
@ -124,7 +124,7 @@ sub getStack {
|
|||
return $req->datas->{multiStack} if ( $req->datas->{multiStack} );
|
||||
my $stack = $req->datas->{multiStack} = $self->stackSub->( $req->env );
|
||||
unless ($stack) {
|
||||
$self->lmLog( 'No authentication scheme for this user', 'error' );
|
||||
$self->logger->error('No authentication scheme for this user');
|
||||
}
|
||||
@{ $req->datas->{multiSteps} } = ( @steps, @{ $req->steps } );
|
||||
$req->datas->{multiTry} = 0;
|
||||
|
@ -145,8 +145,8 @@ sub try {
|
|||
|
||||
# On error, restart authentication with next scheme
|
||||
if ( $res > PE_OK ) {
|
||||
$self->lmLog( qq'Scheme "$name" has return $res, trying next',
|
||||
'info' );
|
||||
$self->logger->info(
|
||||
qq'Scheme "$name" has return $res, trying next');
|
||||
$req->datas->{multiTry}++;
|
||||
$req->steps( [ @{ $req->datas->{multiSteps} } ] );
|
||||
return PE_OK;
|
||||
|
|
|
@ -21,9 +21,8 @@ sub init {
|
|||
my $self = shift;
|
||||
|
||||
# Add warning in log
|
||||
$self->lmLog(
|
||||
"Using demonstration mode, go to Manager to edit the configuration",
|
||||
'warn' );
|
||||
$self->logger->warn(
|
||||
"Using demonstration mode, go to Manager to edit the configuration");
|
||||
|
||||
return $self->Lemonldap::NG::Portal::Auth::_WebForm::init();
|
||||
}
|
||||
|
|
|
@ -61,14 +61,13 @@ sub extractFormInfo {
|
|||
{ fields => join( ',', @fields ) }
|
||||
)->as_hash;
|
||||
unless ( ref $datas ) {
|
||||
$self->lmLog( "Unable to get any Facebook field", 'error' );
|
||||
$self->logger->error("Unable to get any Facebook field");
|
||||
return PE_ERROR;
|
||||
}
|
||||
if ( $datas->{error} ) {
|
||||
my $tmp = pop @fields;
|
||||
$self->lmLog(
|
||||
"Unable to get some Facebook fields ($datas->{error}->{message}). Retrying without $tmp",
|
||||
'warn'
|
||||
$self->logger->warn(
|
||||
"Unable to get some Facebook fields ($datas->{error}->{message}). Retrying without $tmp"
|
||||
);
|
||||
}
|
||||
else {
|
||||
|
@ -76,13 +75,13 @@ sub extractFormInfo {
|
|||
}
|
||||
}
|
||||
unless (@fields) {
|
||||
$self->lmLog( "Unable to get any Facebook field", 'error' );
|
||||
$self->logger->error("Unable to get any Facebook field");
|
||||
return PE_ERROR;
|
||||
}
|
||||
|
||||
# Use id fieldto trace user
|
||||
unless ( $req->{user} = $datas->{id} ) {
|
||||
$self->lmLog( 'Unable to get Facebook id', 'error' );
|
||||
$self->logger->error('Unable to get Facebook id');
|
||||
return PE_ERROR;
|
||||
}
|
||||
$req->datas->{_facebookDatas} = $datas;
|
||||
|
@ -97,8 +96,7 @@ sub extractFormInfo {
|
|||
# 1.2 Bad responses
|
||||
if ( my $error_code = $req->param('error_code') ) {
|
||||
my $error_message = $req->param('error_message');
|
||||
$self->lmLog( "Facebook error code $error_code: $error_message",
|
||||
'error' );
|
||||
$self->logger->error("Facebook error code $error_code: $error_message");
|
||||
return PE_ERROR;
|
||||
}
|
||||
|
||||
|
@ -160,7 +158,7 @@ sub fb {
|
|||
callback => $ret,
|
||||
);
|
||||
};
|
||||
$self->lmLog( $@, 'error' ) if ($@);
|
||||
$self->logger->error($@) if ($@);
|
||||
return $fb;
|
||||
}
|
||||
|
||||
|
|
|
@ -93,7 +93,7 @@ sub extractFormInfo {
|
|||
|
||||
# Remote error
|
||||
unless ( $csr->is_server_response() ) {
|
||||
$self->lmLog( 'No OpenID valid message found', 'info' );
|
||||
$self->logger->info('No OpenID valid message found');
|
||||
return PE_BADCREDENTIALS;
|
||||
}
|
||||
|
||||
|
@ -106,22 +106,22 @@ sub extractFormInfo {
|
|||
|
||||
# Check if user has refused to share his authentication
|
||||
elsif ( $csr->user_cancel() ) {
|
||||
$self->lmLog( 'OpenID request cancelled by user', 'info' );
|
||||
$self->logger->info('OpenID request cancelled by user');
|
||||
return PE_FIRSTACCESS;
|
||||
}
|
||||
|
||||
# TODO: check verified identity
|
||||
elsif ( $req->datas->{vident} = $csr->verified_identity ) {
|
||||
$req->user( $req->datas->{vident}->url() );
|
||||
$self->lmLog( "OpenID good authentication for $req->{user}",
|
||||
'debug' );
|
||||
$self->userLogger->notice(
|
||||
"OpenID good authentication for $req->{user}");
|
||||
$req->{mustRedirect} = 1;
|
||||
return PE_OK;
|
||||
}
|
||||
|
||||
# Other errors
|
||||
else {
|
||||
$self->lmLog( 'OpenID error: ' . $csr->err, 'warn' );
|
||||
$self->logger->warn( 'OpenID error: ' . $csr->err );
|
||||
return PE_ERROR;
|
||||
}
|
||||
}
|
||||
|
@ -138,12 +138,12 @@ sub extractFormInfo {
|
|||
|
||||
# Check if url is valid
|
||||
unless ($claimed_identity) {
|
||||
$self->lmLog( 'OpenID error : ' . $req->{csr}->err(), 'warn' );
|
||||
$self->logger->warn( 'OpenID error : ' . $req->{csr}->err() );
|
||||
return PE_BADCREDENTIALS;
|
||||
}
|
||||
|
||||
# Build the redirection
|
||||
$self->lmLog( "OpenID redirection to $url", 'debug' );
|
||||
$self->logger->debug("OpenID redirection to $url");
|
||||
my $check_url = $claimed_identity->check_url(
|
||||
return_to => $self->conf->{portal}
|
||||
. '?openid=1&'
|
||||
|
@ -175,9 +175,8 @@ sub extractFormInfo {
|
|||
else { push @o, $k }
|
||||
}
|
||||
else {
|
||||
$self->lmLog(
|
||||
qq'Unknown "OpenID Simple Registration Extension" field name: $k',
|
||||
'warn'
|
||||
$self->logger->warn(
|
||||
qq'Unknown "OpenID Simple Registration Extension" field name: $k'
|
||||
);
|
||||
}
|
||||
}
|
||||
|
|
|
@ -26,7 +26,7 @@ sub init {
|
|||
return 0 unless ( $self->loadOPs and $self->refreshJWKSdata );
|
||||
my @tab = ( sort keys %{ $self->oidcOPList } );
|
||||
unless (@tab) {
|
||||
$self->lmLog( "No OP configured", 'error' );
|
||||
$self->logger->error("No OP configured");
|
||||
return 0;
|
||||
}
|
||||
$self->opNumber( scalar @tab );
|
||||
|
@ -69,8 +69,8 @@ sub extractFormInfo {
|
|||
# Check callback
|
||||
if ( $req->param( $self->conf->{oidcRPCallbackGetParam} ) ) {
|
||||
|
||||
$self->lmLog( 'OpenIDConnect callback URI detected: ' . $req->uri,
|
||||
'debug' );
|
||||
$self->logger->debug(
|
||||
'OpenIDConnect callback URI detected: ' . $req->uri );
|
||||
|
||||
# AuthN Response
|
||||
my $state = $req->param('state');
|
||||
|
@ -78,10 +78,10 @@ sub extractFormInfo {
|
|||
# Restore state
|
||||
if ($state) {
|
||||
if ( $self->extractState( $req, $state ) ) {
|
||||
$self->lmLog( "State $state extracted", 'debug' );
|
||||
$self->logger->debug("State $state extracted");
|
||||
}
|
||||
else {
|
||||
$self->lmLog( "Unable to extract state $state", 'error' );
|
||||
$self->logger->error("Unable to extract state $state");
|
||||
return PE_ERROR;
|
||||
}
|
||||
}
|
||||
|
@ -90,11 +90,11 @@ sub extractFormInfo {
|
|||
my $op = $req->datas->{_oidcOPCurrent};
|
||||
|
||||
unless ($op) {
|
||||
$self->lmLog( "OpenID Provider not found", 'error' );
|
||||
$self->logger->error("OpenID Provider not found");
|
||||
return PE_ERROR;
|
||||
}
|
||||
|
||||
$self->lmLog( "Using OpenID Provider $op", 'debug' );
|
||||
$self->logger->debug("Using OpenID Provider $op");
|
||||
|
||||
# Check error
|
||||
my $error = $req->param("error");
|
||||
|
@ -102,10 +102,10 @@ sub extractFormInfo {
|
|||
my $error_description = $req->param("error_description");
|
||||
my $error_uri = $req->param("error_uri");
|
||||
|
||||
$self->lmLog( "Error returned by $op Provider: $error", 'error' );
|
||||
$self->lmLog( "Error description: $error_description", 'error' )
|
||||
$self->logger->error("Error returned by $op Provider: $error");
|
||||
$self->logger->error("Error description: $error_description")
|
||||
if $error_description;
|
||||
$self->lmLog( "Error URI: $error_uri", 'error' ) if $error_uri;
|
||||
$self->logger->error("Error URI: $error_uri") if $error_uri;
|
||||
|
||||
return PE_ERROR;
|
||||
}
|
||||
|
@ -125,38 +125,37 @@ sub extractFormInfo {
|
|||
my $json = $self->decodeJSON($content);
|
||||
|
||||
if ( $json->{error} ) {
|
||||
$self->lmLog( "Error in token response:" . $json->{error},
|
||||
'error' );
|
||||
$self->logger->error( "Error in token response:" . $json->{error} );
|
||||
return PE_ERROR;
|
||||
}
|
||||
|
||||
# Check validity of token response
|
||||
unless ( $self->checkTokenResponseValidity($json) ) {
|
||||
$self->lmLog( "Token response is not valid", 'error' );
|
||||
$self->logger->error("Token response is not valid");
|
||||
return PE_ERROR;
|
||||
}
|
||||
else {
|
||||
$self->lmLog( "Token response is valid", 'debug' );
|
||||
$self->logger->debug("Token response is valid");
|
||||
}
|
||||
|
||||
my $access_token = $json->{access_token};
|
||||
my $id_token = $json->{id_token};
|
||||
|
||||
$self->lmLog( "Access token: $access_token", 'debug' );
|
||||
$self->lmLog( "ID token: $id_token", 'debug' );
|
||||
$self->logger->debug("Access token: $access_token");
|
||||
$self->logger->debug("ID token: $id_token");
|
||||
|
||||
# Verify JWT signature
|
||||
if ( $self->conf->{oidcOPMetaDataOptions}->{$op}
|
||||
->{oidcOPMetaDataOptionsCheckJWTSignature} )
|
||||
{
|
||||
unless ( $self->verifyJWTSignature( $id_token, $op ) ) {
|
||||
$self->lmLog( "JWT signature verification failed", 'error' );
|
||||
$self->logger->error("JWT signature verification failed");
|
||||
return PE_ERROR;
|
||||
}
|
||||
$self->lmLog( "JWT signature verified", 'debug' );
|
||||
$self->logger->debug("JWT signature verified");
|
||||
}
|
||||
else {
|
||||
$self->lmLog( "JWT signature check disabled", 'debug' );
|
||||
$self->logger->debug("JWT signature check disabled");
|
||||
}
|
||||
|
||||
my $id_token_payload = $self->extractJWT($id_token)->[1];
|
||||
|
@ -168,25 +167,24 @@ sub extractFormInfo {
|
|||
my $at_hash = $id_token_payload_hash->{at_hash};
|
||||
if ($at_hash) {
|
||||
unless ( $self->verifyHash( $access_token, $at_hash, $id_token ) ) {
|
||||
$self->lmLog( "Access token hash verification failed",
|
||||
'error' );
|
||||
$self->userLogger->error(
|
||||
"Access token hash verification failed");
|
||||
return PE_ERROR;
|
||||
}
|
||||
$self->lmLog( "Access token hash verified", 'debug' );
|
||||
$self->logger->debug("Access token hash verified");
|
||||
}
|
||||
else {
|
||||
$self->lmLog(
|
||||
"No at_hash in ID Token, access token will not be verified",
|
||||
'debug' );
|
||||
$self->logger->debug(
|
||||
"No at_hash in ID Token, access token will not be verified");
|
||||
}
|
||||
|
||||
# Check validity of ID Token
|
||||
unless ( $self->checkIDTokenValidity( $op, $id_token_payload_hash ) ) {
|
||||
$self->lmLog( 'ID Token not valid', 'error' );
|
||||
$self->logger->error('ID Token not valid');
|
||||
return PE_ERROR;
|
||||
}
|
||||
else {
|
||||
$self->lmLog( 'ID Token is valid', 'debug' );
|
||||
$self->logger->debug('ID Token is valid');
|
||||
}
|
||||
|
||||
# Get user id defined in 'sub' field
|
||||
|
@ -196,7 +194,7 @@ sub extractFormInfo {
|
|||
$req->datas->{access_token} = $access_token;
|
||||
$req->datas->{id_token} = $id_token;
|
||||
|
||||
$self->lmLog( "Found user_id: " . $user_id, 'debug' );
|
||||
$self->logger->debug( "Found user_id: " . $user_id );
|
||||
$req->user($user_id);
|
||||
|
||||
return PE_OK;
|
||||
|
@ -206,12 +204,12 @@ sub extractFormInfo {
|
|||
my $op;
|
||||
|
||||
unless ( $op = $req->param("idp") ) {
|
||||
$self->lmLog( "Redirecting user to OP list", 'debug' );
|
||||
$self->logger->debug("Redirecting user to OP list");
|
||||
|
||||
# Auto select provider if there is only one
|
||||
if ( $self->opNumber == 1 ) {
|
||||
$op = $self->opList->[0]->{val};
|
||||
$self->lmLog( "Selecting the only defined OP: $op", 'debug' );
|
||||
$self->logger->debug("Selecting the only defined OP: $op");
|
||||
}
|
||||
|
||||
else {
|
||||
|
@ -231,12 +229,12 @@ sub extractFormInfo {
|
|||
}
|
||||
|
||||
# Provider is choosen
|
||||
$self->lmLog( "OpenID Provider $op choosen", 'debug' );
|
||||
$self->logger->debug("OpenID Provider $op choosen");
|
||||
|
||||
$req->datas->{_oidcOPCurrent} = $op;
|
||||
|
||||
# AuthN Request
|
||||
$self->lmLog( "Build OpenIDConnect AuthN Request", 'debug' );
|
||||
$self->logger->debug("Build OpenIDConnect AuthN Request");
|
||||
|
||||
# Save state
|
||||
my $state = $self->storeState( $req, qw/urldc checkLogins _oidcOPCurrent/ );
|
||||
|
@ -245,7 +243,7 @@ sub extractFormInfo {
|
|||
$req->urldc(
|
||||
$self->buildAuthorizationCodeAuthnRequest( $req, $op, $state ) );
|
||||
|
||||
$self->lmLog( "Redirect user to " . $req->{urldc}, 'debug' );
|
||||
$self->logger->debug( "Redirect user to " . $req->{urldc} );
|
||||
$req->continue(1);
|
||||
$req->steps( [] );
|
||||
|
||||
|
@ -270,11 +268,11 @@ sub setAuthSessionInfo {
|
|||
my $store_IDToken = $self->conf->{oidcOPMetaDataOptions}->{$op}
|
||||
->{oidcOPMetaDataOptionsStoreIDToken};
|
||||
if ($store_IDToken) {
|
||||
$self->lmLog( "Store ID Token in session", 'debug' );
|
||||
$self->logger->debug("Store ID Token in session");
|
||||
$req->{sessionInfo}->{OpenIDConnect_IDToken} = $req->datas->{id_token};
|
||||
}
|
||||
else {
|
||||
$self->lmLog( "ID Token will not be stored in session", 'debug' );
|
||||
$self->logger->debug("ID Token will not be stored in session");
|
||||
}
|
||||
|
||||
PE_OK;
|
||||
|
@ -298,12 +296,11 @@ sub authLogout {
|
|||
)
|
||||
);
|
||||
|
||||
$self->lmLog(
|
||||
"OpenID Connect logout to $op will be done on " . $req->urldc,
|
||||
'debug' );
|
||||
$self->logger->debug(
|
||||
"OpenID Connect logout to $op will be done on " . $req->urldc );
|
||||
}
|
||||
else {
|
||||
$self->lmLog( "No end session endpoint found for $op", 'debug' );
|
||||
$self->logger->debug("No end session endpoint found for $op");
|
||||
}
|
||||
PE_OK;
|
||||
}
|
||||
|
|
|
@ -17,9 +17,12 @@ our $VERSION = '2.0.0';
|
|||
|
||||
has radius => ( is => 'rw' );
|
||||
|
||||
has authnLevel => ( is => 'rw', default => sub {
|
||||
$_[0]->conf->{radiusAuthnLevel};
|
||||
});
|
||||
has authnLevel => (
|
||||
is => 'rw',
|
||||
default => sub {
|
||||
$_[0]->conf->{radiusAuthnLevel};
|
||||
}
|
||||
);
|
||||
|
||||
sub initRadius {
|
||||
$_[0]->radius(
|
||||
|
@ -44,11 +47,11 @@ sub init {
|
|||
|
||||
sub authenticate {
|
||||
my ( $self, $req ) = @_;
|
||||
$self->initRadius unless($self->radius);
|
||||
return PE_RADIUSCONNECTFAILED unless($self->radius);
|
||||
$self->initRadius unless ( $self->radius );
|
||||
return PE_RADIUSCONNECTFAILED unless ( $self->radius );
|
||||
|
||||
my $res = $self->radius->check_pwd($req->user, $req->datas->{password});
|
||||
unless($res==1){
|
||||
my $res = $self->radius->check_pwd( $req->user, $req->datas->{password} );
|
||||
unless ( $res == 1 ) {
|
||||
$self->p->userNotice("Unable to authenticate $req->{user} !");
|
||||
return PE_BADCREDENTIALS;
|
||||
}
|
||||
|
|
|
@ -85,8 +85,8 @@ sub extractFormInfo {
|
|||
|
||||
# 1.1 SSO assertion consumer
|
||||
if ( $url =~ $self->sloAssConsumerRe ) {
|
||||
$self->lmLog( "URL $url detected as an SSO assertion consumer URL",
|
||||
'debug' );
|
||||
$self->logger->debug(
|
||||
"URL $url detected as an SSO assertion consumer URL");
|
||||
|
||||
# Check SAML Message
|
||||
my ( $request, $response, $method, $relaystate, $artifact ) =
|
||||
|
@ -111,29 +111,28 @@ sub extractFormInfo {
|
|||
}
|
||||
|
||||
unless ($result) {
|
||||
$self->lmLog( "SSO: Fail to process authentication response",
|
||||
'error' );
|
||||
$self->logger->error(
|
||||
"SAML SSO: Fail to process authentication response");
|
||||
return PE_SAML_SSO_ERROR;
|
||||
}
|
||||
|
||||
$self->lmLog( "SSO: authentication response is valid", 'debug' );
|
||||
$self->logger->debug("SSO: authentication response is valid");
|
||||
|
||||
# Get IDP entityID
|
||||
my $idp = $login->remote_providerID();
|
||||
|
||||
$self->lmLog( "Found entityID $idp in SAML message", 'debug' );
|
||||
$self->logger->debug("Found entityID $idp in SAML message");
|
||||
|
||||
# IDP conf key
|
||||
my $idpConfKey = $self->idpList->{$idp}->{confKey};
|
||||
|
||||
unless ($idpConfKey) {
|
||||
$self->lmLog( "$idp do not match any IDP in configuration",
|
||||
'error' );
|
||||
$self->userLogger->error(
|
||||
"$idp do not match any IDP in configuration");
|
||||
return PE_SAML_UNKNOWN_ENTITY;
|
||||
}
|
||||
|
||||
$self->lmLog( "$idp match $idpConfKey IDP in configuration",
|
||||
'debug' );
|
||||
$self->logger->debug("$idp match $idpConfKey IDP in configuration");
|
||||
|
||||
# Do we check signature?
|
||||
my $checkSSOMessageSignature =
|
||||
|
@ -153,22 +152,21 @@ sub extractFormInfo {
|
|||
}
|
||||
|
||||
unless ($result) {
|
||||
$self->lmLog( "Signature is not valid", 'error' );
|
||||
$self->logger->error("Signature is not valid");
|
||||
return PE_SAML_SIGNATURE_ERROR;
|
||||
}
|
||||
else {
|
||||
$self->lmLog( "Signature is valid", 'debug' );
|
||||
$self->logger->debug("Signature is valid");
|
||||
}
|
||||
}
|
||||
else {
|
||||
$self->lmLog( "Message signature will not be checked",
|
||||
'debug' );
|
||||
$self->logger->debug("Message signature will not be checked");
|
||||
}
|
||||
|
||||
# Get SAML response
|
||||
my $saml_response = $login->response();
|
||||
unless ($saml_response) {
|
||||
$self->lmLog( "No SAML response found", 'error' );
|
||||
$self->logger->error("No SAML response found");
|
||||
return PE_SAML_SSO_ERROR;
|
||||
}
|
||||
|
||||
|
@ -183,9 +181,8 @@ sub extractFormInfo {
|
|||
|
||||
# Assertion was already consumed or is expired
|
||||
# Force authentication replay
|
||||
$self->lmLog(
|
||||
"Message $assertion_responded already used or expired, replay authentication",
|
||||
'error'
|
||||
$self->userLogger->error(
|
||||
"Message $assertion_responded already used or expired, replay authentication"
|
||||
);
|
||||
delete $req->{urldc};
|
||||
$req->mustRedirect(1);
|
||||
|
@ -194,9 +191,8 @@ sub extractFormInfo {
|
|||
}
|
||||
}
|
||||
else {
|
||||
$self->lmLog(
|
||||
"Assertion is not a response to a created authentication request, do not control replay",
|
||||
'debug'
|
||||
$self->logger->debug(
|
||||
"Assertion is not a response to a created authentication request, do not control replay"
|
||||
);
|
||||
}
|
||||
|
||||
|
@ -204,13 +200,12 @@ sub extractFormInfo {
|
|||
my $assertion = $self->getAssertion($login);
|
||||
|
||||
unless ($assertion) {
|
||||
$self->lmLog( "No assertion found", 'error' );
|
||||
$self->logger->error("No assertion found");
|
||||
return PE_SAML_SSO_ERROR;
|
||||
}
|
||||
|
||||
# Do we check conditions?
|
||||
my $checkTime =
|
||||
$self->conf->{samlIDPMetaDataOptions}->{$idpConfKey}
|
||||
my $checkTime = $self->conf->{samlIDPMetaDataOptions}->{$idpConfKey}
|
||||
->{samlIDPMetaDataOptionsCheckTime};
|
||||
my $checkAudience =
|
||||
$self->conf->{samlIDPMetaDataOptions}->{$idpConfKey}
|
||||
|
@ -224,7 +219,7 @@ sub extractFormInfo {
|
|||
)
|
||||
)
|
||||
{
|
||||
$self->lmLog( "Conditions not validated", 'error' );
|
||||
$self->logger->error("Conditions not validated");
|
||||
return PE_SAML_CONDITIONS_ERROR;
|
||||
}
|
||||
|
||||
|
@ -234,7 +229,7 @@ sub extractFormInfo {
|
|||
|
||||
# Extract RelayState information
|
||||
if ( $self->extractRelayState( $relaystate, $relayStateURL ) ) {
|
||||
$self->lmLog( "RelayState $relaystate extracted", 'debug' );
|
||||
$self->logger->debug("RelayState $relaystate extracted");
|
||||
}
|
||||
|
||||
# Check if we accept direct login from IDP
|
||||
|
@ -242,9 +237,8 @@ sub extractFormInfo {
|
|||
$self->conf->{samlIDPMetaDataOptions}->{$idpConfKey}
|
||||
->{samlIDPMetaDataOptionsAllowLoginFromIDP};
|
||||
if ( !$assertion_responded and !$allowLoginFromIDP ) {
|
||||
$self->lmLog(
|
||||
"Direct login from IDP $idpConfKey is not allowed",
|
||||
'error' );
|
||||
$self->userLogger->error(
|
||||
"Direct login from IDP $idpConfKey is not allowed");
|
||||
return PE_SAML_IDPSSOINITIATED_NOTALLOWED;
|
||||
}
|
||||
|
||||
|
@ -256,15 +250,13 @@ sub extractFormInfo {
|
|||
->AuthnContextClassRef();
|
||||
};
|
||||
if ($@) {
|
||||
$self->lmLog(
|
||||
"Unable to get authentication context from $idpConfKey",
|
||||
'debug' );
|
||||
$self->logger->debug(
|
||||
"Unable to get authentication context from $idpConfKey");
|
||||
$responseAuthnContext = $self->getAuthnContext("unspecified");
|
||||
}
|
||||
else {
|
||||
$self->lmLog(
|
||||
"Found authentication context: $responseAuthnContext",
|
||||
'debug' );
|
||||
$self->logger->debug(
|
||||
"Found authentication context: $responseAuthnContext");
|
||||
}
|
||||
|
||||
# Map authentication context to authentication level
|
||||
|
@ -282,10 +274,10 @@ sub extractFormInfo {
|
|||
$session_index = $assertion->AuthnStatement()->SessionIndex();
|
||||
};
|
||||
if ( $@ or !defined($session_index) ) {
|
||||
$self->lmLog( "No SessionIndex found", 'debug' );
|
||||
$self->logger->debug("No SessionIndex found");
|
||||
}
|
||||
else {
|
||||
$self->lmLog( "Found SessionIndex $session_index", 'debug' );
|
||||
$self->logger->debug("Found SessionIndex $session_index");
|
||||
}
|
||||
|
||||
# Get NameID
|
||||
|
@ -295,11 +287,11 @@ sub extractFormInfo {
|
|||
my $user = $nameid->content;
|
||||
|
||||
unless ($user) {
|
||||
$self->lmLog( "No NameID value found", 'error' );
|
||||
$self->logger->error("No NameID value found");
|
||||
return PE_SAML_SSO_ERROR;
|
||||
}
|
||||
|
||||
$self->lmLog( "Found NameID: $user", 'debug' );
|
||||
$self->logger->debug("Found NameID: $user");
|
||||
$req->user($user);
|
||||
|
||||
# Store Lasso objects
|
||||
|
@ -312,7 +304,7 @@ sub extractFormInfo {
|
|||
# Store Token
|
||||
my $saml_token = $assertion->export_to_xml;
|
||||
|
||||
$self->lmLog( "SAML Token: $saml_token", 'debug' );
|
||||
$self->logger->debug("SAML Token: $saml_token");
|
||||
|
||||
$req->datas->{_samlToken} = $saml_token;
|
||||
|
||||
|
@ -329,9 +321,8 @@ sub extractFormInfo {
|
|||
|
||||
# Warning if more than one session found
|
||||
if ( $#saml_sessions_keys > 0 ) {
|
||||
$self->lmLog(
|
||||
"More than one SAML proxy session found for ID $assertion_responded",
|
||||
'warn'
|
||||
$self->logger->warn(
|
||||
"More than one SAML proxy session found for ID $assertion_responded"
|
||||
);
|
||||
}
|
||||
|
||||
|
@ -339,9 +330,8 @@ sub extractFormInfo {
|
|||
my $saml_session = shift @saml_sessions_keys;
|
||||
|
||||
# Get session
|
||||
$self->lmLog(
|
||||
"Retrieve SAML proxy session $saml_session for ID $assertion_responded",
|
||||
'debug'
|
||||
$self->logger->debug(
|
||||
"Retrieve SAML proxy session $saml_session for ID $assertion_responded"
|
||||
);
|
||||
|
||||
my $samlSessionInfo = $self->getSamlSession($saml_session);
|
||||
|
@ -364,16 +354,15 @@ sub extractFormInfo {
|
|||
elsif ($request) {
|
||||
|
||||
# Do nothing
|
||||
$self->lmLog(
|
||||
"This module do not manage SSO request, see IssuerDBSAML",
|
||||
'debug' );
|
||||
$self->logger->debug(
|
||||
"This module do not manage SSO request, see IssuerDBSAML");
|
||||
|
||||
return PE_OK;
|
||||
}
|
||||
else {
|
||||
|
||||
# This should not happen
|
||||
$self->lmLog( "SSO request or response was not found", 'error' );
|
||||
$self->logger->error("SSO request or response was not found");
|
||||
|
||||
return PE_SAML_ERROR;
|
||||
}
|
||||
|
@ -382,7 +371,7 @@ sub extractFormInfo {
|
|||
|
||||
# 1.2 SLO
|
||||
elsif ( $url =~ $self->sloRe ) {
|
||||
$self->lmLog( "URL $url detected as an SLO URL", 'debug' );
|
||||
$self->logger->debug("URL $url detected as an SLO URL");
|
||||
|
||||
# TODO: call authLogout instead of duplicating SLO
|
||||
$req->steps( [ @{ $self->p->beforeLogout }, 'deleteSession' ] );
|
||||
|
@ -404,11 +393,11 @@ sub extractFormInfo {
|
|||
my $result = $self->processLogoutResponseMsg( $logout, $response );
|
||||
|
||||
unless ($result) {
|
||||
$self->lmLog( "Fail to process logout response", 'error' );
|
||||
$self->logger->error("Fail to process logout response");
|
||||
return PE_SAML_SLO_ERROR;
|
||||
}
|
||||
|
||||
$self->lmLog( "Logout response is valid", 'debug' );
|
||||
$self->logger->debug("Logout response is valid");
|
||||
|
||||
# Check Destination
|
||||
return PE_SAML_DESTINATION_ERROR
|
||||
|
@ -417,19 +406,18 @@ sub extractFormInfo {
|
|||
# Get IDP entityID
|
||||
my $idp = $logout->remote_providerID();
|
||||
|
||||
$self->lmLog( "Found entityID $idp in SAML message", 'debug' );
|
||||
$self->logger->debug("Found entityID $idp in SAML message");
|
||||
|
||||
# IDP conf key
|
||||
my $idpConfKey = $self->idpList->{$idp}->{confKey};
|
||||
|
||||
unless ($idpConfKey) {
|
||||
$self->lmLog( "$idp do not match any IDP in configuration",
|
||||
'error' );
|
||||
$self->userLogger->error(
|
||||
"$idp do not match any IDP in configuration");
|
||||
return PE_SAML_UNKNOWN_ENTITY;
|
||||
}
|
||||
|
||||
$self->lmLog( "$idp match $idpConfKey IDP in configuration",
|
||||
'debug' );
|
||||
$self->logger->debug("$idp match $idpConfKey IDP in configuration");
|
||||
|
||||
# Do we check signature?
|
||||
my $checkSLOMessageSignature =
|
||||
|
@ -443,16 +431,15 @@ sub extractFormInfo {
|
|||
$result = $self->processLogoutResponseMsg( $logout, $response );
|
||||
|
||||
unless ($result) {
|
||||
$self->lmLog( "Signature is not valid", 'error' );
|
||||
$self->logger->error("Signature is not valid");
|
||||
return PE_SAML_SIGNATURE_ERROR;
|
||||
}
|
||||
else {
|
||||
$self->lmLog( "Signature is valid", 'debug' );
|
||||
$self->logger->debug("Signature is valid");
|
||||
}
|
||||
}
|
||||
else {
|
||||
$self->lmLog( "Message signature will not be checked",
|
||||
'debug' );
|
||||
$self->logger->debug("Message signature will not be checked");
|
||||
}
|
||||
|
||||
# Replay protection
|
||||
|
@ -461,16 +448,16 @@ sub extractFormInfo {
|
|||
unless ( $self->replayProtection($samlID) ) {
|
||||
|
||||
# Logout request was already consumed or is expired
|
||||
$self->lmLog( "Message $samlID already used or expired",
|
||||
'error' );
|
||||
$self->userLogger->error(
|
||||
"Message $samlID already used or expired");
|
||||
return PE_SAML_SLO_ERROR;
|
||||
}
|
||||
|
||||
# If URL in RelayState, different from portal, redirect user
|
||||
if ( $self->extractRelayState($relaystate) ) {
|
||||
$self->lmLog( "RelayState $relaystate extracted", 'debug' );
|
||||
$self->lmLog( "URL " . $req->urldc . " found in RelayState",
|
||||
'debug' );
|
||||
$self->logger->debug("RelayState $relaystate extracted");
|
||||
$self->logger->debug(
|
||||
"URL " . $req->urldc . " found in RelayState" );
|
||||
}
|
||||
|
||||
if ( $req->urldc
|
||||
|
@ -496,11 +483,11 @@ sub extractFormInfo {
|
|||
|
||||
# Process logout request
|
||||
unless ( $self->processLogoutRequestMsg( $logout, $request ) ) {
|
||||
$self->lmLog( "Fail to process logout request", 'error' );
|
||||
$self->logger->error("Fail to process logout request");
|
||||
$logout_error = 1;
|
||||
}
|
||||
|
||||
$self->lmLog( "Logout request is valid", 'debug' );
|
||||
$self->logger->debug("Logout request is valid");
|
||||
|
||||
# Check Destination
|
||||
return PE_SAML_DESTINATION_ERROR
|
||||
|
@ -509,19 +496,18 @@ sub extractFormInfo {
|
|||
# Get IDP entityID
|
||||
my $idp = $logout->remote_providerID();
|
||||
|
||||
$self->lmLog( "Found entityID $idp in SAML message", 'debug' );
|
||||
$self->logger->debug("Found entityID $idp in SAML message");
|
||||
|
||||
# IDP conf key
|
||||
my $idpConfKey = $self->idpList->{$idp}->{confKey};
|
||||
|
||||
unless ($idpConfKey) {
|
||||
$self->lmLog( "$idp do not match any IDP in configuration",
|
||||
'error' );
|
||||
$self->userLogger->error(
|
||||
"$idp do not match any IDP in configuration");
|
||||
return PE_SAML_UNKNOWN_ENTITY;
|
||||
}
|
||||
|
||||
$self->lmLog( "$idp match $idpConfKey IDP in configuration",
|
||||
'debug' );
|
||||
$self->logger->debug("$idp match $idpConfKey IDP in configuration");
|
||||
|
||||
# Do we check signature?
|
||||
my $checkSLOMessageSignature =
|
||||
|
@ -530,16 +516,15 @@ sub extractFormInfo {
|
|||
|
||||
if ($checkSLOMessageSignature) {
|
||||
unless ( $self->checkSignatureStatus($logout) ) {
|
||||
$self->lmLog( "Signature is not valid", 'error' );
|
||||
$self->logger->error("Signature is not valid");
|
||||
return PE_SAML_SIGNATURE_ERROR;
|
||||
}
|
||||
else {
|
||||
$self->lmLog( "Signature is valid", 'debug' );
|
||||
$self->logger->debug("Signature is valid");
|
||||
}
|
||||
}
|
||||
else {
|
||||
$self->lmLog( "Message signature will not be checked",
|
||||
'debug' );
|
||||
$self->logger->debug("Message signature will not be checked");
|
||||
}
|
||||
|
||||
# Get NameID and SessionIndex
|
||||
|
@ -548,12 +533,12 @@ sub extractFormInfo {
|
|||
my $user = $name_id->content;
|
||||
|
||||
unless ($name_id) {
|
||||
$self->lmLog( "Fail to get NameID from logout request",
|
||||
'error' );
|
||||
$self->userLogger->error(
|
||||
"Fail to get NameID from logout request");
|
||||
$logout_error = 1;
|
||||
}
|
||||
|
||||
$self->lmLog( "Logout request NameID content: $user", 'debug' );
|
||||
$self->logger->debug("Logout request NameID content: $user");
|
||||
|
||||
# Get SAML sessions with the same NameID
|
||||
my $moduleOptions = $self->conf->{samlStorageOptions} || {};
|
||||
|
@ -571,9 +556,8 @@ sub extractFormInfo {
|
|||
my $local_session = $_;
|
||||
|
||||
# Get session
|
||||
$self->lmLog(
|
||||
"Retrieve SAML session $local_session for user $user",
|
||||
'debug' );
|
||||
$self->logger->debug(
|
||||
"Retrieve SAML session $local_session for user $user");
|
||||
|
||||
my $sessionInfo = $self->getSamlSession($local_session);
|
||||
|
||||
|
@ -583,9 +567,8 @@ sub extractFormInfo {
|
|||
and $session_index ne
|
||||
$sessionInfo->data->{_sessionIndex} )
|
||||
{
|
||||
$self->lmLog(
|
||||
"Session $local_session has not the good session index, skipping",
|
||||
'debug'
|
||||
$self->logger->debug(
|
||||
"Session $local_session has not the good session index, skipping"
|
||||
);
|
||||
next;
|
||||
}
|
||||
|
@ -607,9 +590,8 @@ sub extractFormInfo {
|
|||
if ( $ssoSession
|
||||
&& $ssoSession->data->{_lassoSessionDump} )
|
||||
{
|
||||
$self->lmLog(
|
||||
"Get Lasso::Session dump from session $real_session",
|
||||
'debug'
|
||||
$self->logger->debug(
|
||||
"Get Lasso::Session dump from session $real_session"
|
||||
);
|
||||
$session_dump =
|
||||
$ssoSession->data->{_lassoSessionDump};
|
||||
|
@ -620,9 +602,8 @@ sub extractFormInfo {
|
|||
# Delete SAML session
|
||||
my $del_saml_result = $sessionInfo->remove();
|
||||
|
||||
$self->lmLog(
|
||||
"Delete SAML session $local_session result: $del_saml_result",
|
||||
'debug'
|
||||
$self->logger->debug(
|
||||
"Delete SAML session $local_session result: $del_saml_result"
|
||||
);
|
||||
|
||||
$logout_error = 1 unless $del_saml_result;
|
||||
|
@ -631,8 +612,8 @@ sub extractFormInfo {
|
|||
|
||||
# Set session from dump
|
||||
unless ( $self->setSessionFromDump( $logout, $session_dump ) ) {
|
||||
$self->lmLog( "Cannot set session from dump in logout",
|
||||
'error' );
|
||||
$self->userLogger->error(
|
||||
"Cannot set session from dump in logout");
|
||||
$logout_error = 1;
|
||||
}
|
||||
|
||||
|
@ -640,7 +621,7 @@ sub extractFormInfo {
|
|||
else {
|
||||
|
||||
# No corresponding session found
|
||||
$self->lmLog( "No SAML session found for user $user", 'debug' );
|
||||
$self->logger->debug("No SAML session found for user $user");
|
||||
|
||||
$logout_error = 1;
|
||||
|
||||
|
@ -649,14 +630,14 @@ sub extractFormInfo {
|
|||
# Validate request if no previous error
|
||||
unless ($logout_error) {
|
||||
unless ( $self->validateLogoutRequest($logout) ) {
|
||||
$self->lmLog( "SLO request is not valid", 'error' );
|
||||
$self->logger->error("SLO request is not valid");
|
||||
}
|
||||
}
|
||||
|
||||
# Set RelayState
|
||||
if ($relaystate) {
|
||||
$logout->msg_relayState($relaystate);
|
||||
$self->lmLog( "Set $relaystate in RelayState", 'debug' );
|
||||
$self->logger->debug("Set $relaystate in RelayState");
|
||||
}
|
||||
|
||||
# Do we set signature?
|
||||
|
@ -665,26 +646,24 @@ sub extractFormInfo {
|
|||
->{samlIDPMetaDataOptionsSignSLOMessage};
|
||||
|
||||
if ( $signSLOMessage == 0 ) {
|
||||
$self->lmLog(
|
||||
"SLO message to IDP $idpConfKey will not be signed",
|
||||
'debug' );
|
||||
$self->logger->debug(
|
||||
"SLO message to IDP $idpConfKey will not be signed");
|
||||
$self->disableSignature($logout);
|
||||
}
|
||||
elsif ( $signSLOMessage == 1 ) {
|
||||
$self->lmLog( "SLO message to IDP $idpConfKey will be signed",
|
||||
'debug' );
|
||||
$self->logger->debug(
|
||||
"SLO message to IDP $idpConfKey will be signed");
|
||||
$self->forceSignature($logout);
|
||||
}
|
||||
else {
|
||||
$self->lmLog(
|
||||
"SLO message to IDP $idpConfKey signature according to metadata",
|
||||
'debug'
|
||||
$self->logger->debug(
|
||||
"SLO message to IDP $idpConfKey signature according to metadata"
|
||||
);
|
||||
}
|
||||
|
||||
# Logout response
|
||||
unless ( $self->buildLogoutResponseMsg($logout) ) {
|
||||
$self->lmLog( "Unable to build SLO response", 'error' );
|
||||
$self->logger->error("Unable to build SLO response");
|
||||
return PE_SAML_SLO_ERROR;
|
||||
}
|
||||
|
||||
|
@ -695,7 +674,7 @@ sub extractFormInfo {
|
|||
|
||||
# Redirect user to response URL
|
||||
my $slo_url = $logout->msg_url;
|
||||
$self->lmLog( "Redirect user to $slo_url", 'debug' );
|
||||
$self->logger->debug("Redirect user to $slo_url");
|
||||
|
||||
$req->urldc($slo_url);
|
||||
|
||||
|
@ -726,7 +705,7 @@ sub extractFormInfo {
|
|||
|
||||
my $slo_body = $logout->msg_body;
|
||||
|
||||
$self->lmLog( "SOAP response $slo_body", 'debug' );
|
||||
$self->logger->debug("SOAP response $slo_body");
|
||||
|
||||
$req->response(
|
||||
[
|
||||
|
@ -758,7 +737,7 @@ sub extractFormInfo {
|
|||
else {
|
||||
|
||||
# This should not happen
|
||||
$self->lmLog( "SLO request or response was not found", 'error' );
|
||||
$self->logger->error("SLO request or response was not found");
|
||||
|
||||
# Redirect user
|
||||
$req->mustRedirect(1);
|
||||
|
@ -770,8 +749,8 @@ sub extractFormInfo {
|
|||
# 1.3 Artifact
|
||||
elsif ( $url =~ $self->artRe ) {
|
||||
|
||||
$self->lmLog( "URL $url detected as an artifact resolution service URL",
|
||||
'debug' );
|
||||
$self->logger->debug(
|
||||
"URL $url detected as an artifact resolution service URL");
|
||||
|
||||
# Artifact request are sent with SOAP trough POST
|
||||
my $art_request = $req->content;
|
||||
|
@ -782,8 +761,8 @@ sub extractFormInfo {
|
|||
|
||||
# Process request message
|
||||
unless ( $self->processArtRequestMsg( $login, $art_request ) ) {
|
||||
$self->lmLog( "Unable to process artifact request message",
|
||||
'error' );
|
||||
$self->userLogger->error(
|
||||
"Unable to process artifact request message");
|
||||
return PE_SAML_ART_ERROR;
|
||||
}
|
||||
|
||||
|
@ -794,8 +773,7 @@ sub extractFormInfo {
|
|||
# Create artifact response
|
||||
unless ( $art_response = $self->createArtifactResponse( $req, $login ) )
|
||||
{
|
||||
$self->lmLog( "Unable to create artifact response message",
|
||||
'error' );
|
||||
$self->logger("Unable to create artifact response message");
|
||||
return PE_SAML_ART_ERROR;
|
||||
}
|
||||
|
||||
|
@ -824,7 +802,7 @@ sub extractFormInfo {
|
|||
# If confirmation is -1 from resolved IDP screen,
|
||||
# or IDP was not resolve, let the user choose its IDP
|
||||
if ( $confirm_flag == -1 or !$idp ) {
|
||||
$self->lmLog( "Redirecting user to IDP list", 'debug' );
|
||||
$self->logger->debug("Redirecting user to IDP list");
|
||||
|
||||
# Control url parameter
|
||||
my $urlcheck = $self->p->controlUrl($req);
|
||||
|
@ -860,7 +838,7 @@ sub extractFormInfo {
|
|||
|
||||
# If IDP is found but not confirmed, let the user confirm it
|
||||
elsif ( $confirm_flag != 1 ) {
|
||||
$self->lmLog( "IDP $idp selected, need user confirmation", 'debug' );
|
||||
$self->logger->debug("IDP $idp selected, need user confirmation");
|
||||
|
||||
# Control url parameter
|
||||
my $urlcheck = $self->p->controlUrl($req);
|
||||
|
@ -889,7 +867,7 @@ sub extractFormInfo {
|
|||
|
||||
# Here confirmation is OK (confirm_flag == 1), store choosen IDP in cookie
|
||||
unless ( $idp_cookie and $idp eq $idp_cookie ) {
|
||||
$self->lmLog( "Build cookie to remember $idp as IDP choice", 'debug' );
|
||||
$self->logger->debug("Build cookie to remember $idp as IDP choice");
|
||||
|
||||
# Control url parameter
|
||||
my $urlcheck = $self->p->controlUrl($req);
|
||||
|
@ -915,36 +893,31 @@ sub extractFormInfo {
|
|||
my $idpConfKey = $self->idpList->{$idp}->{confKey};
|
||||
|
||||
unless ($idpConfKey) {
|
||||
$self->lmLog( "$idp do not match any IDP in configuration", 'error' );
|
||||
$self->logger->error("$idp do not match any IDP in configuration");
|
||||
return PE_SAML_UNKNOWN_ENTITY;
|
||||
}
|
||||
|
||||
$self->lmLog( "$idp match $idpConfKey IDP in configuration", 'debug' );
|
||||
$self->logger->debug("$idp match $idpConfKey IDP in configuration");
|
||||
|
||||
# IDP ForceAuthn
|
||||
my $forceAuthn =
|
||||
$self->conf->{samlIDPMetaDataOptions}->{$idpConfKey}
|
||||
my $forceAuthn = $self->conf->{samlIDPMetaDataOptions}->{$idpConfKey}
|
||||
->{samlIDPMetaDataOptionsForceAuthn};
|
||||
|
||||
# IDP IsPassive
|
||||
my $isPassive =
|
||||
$self->conf->{samlIDPMetaDataOptions}->{$idpConfKey}
|
||||
my $isPassive = $self->conf->{samlIDPMetaDataOptions}->{$idpConfKey}
|
||||
->{samlIDPMetaDataOptionsIsPassive};
|
||||
|
||||
# IDP NameIDFormat
|
||||
my $nameIDFormat =
|
||||
$self->conf->{samlIDPMetaDataOptions}->{$idpConfKey}
|
||||
my $nameIDFormat = $self->conf->{samlIDPMetaDataOptions}->{$idpConfKey}
|
||||
->{samlIDPMetaDataOptionsNameIDFormat};
|
||||
$nameIDFormat = $self->getNameIDFormat($nameIDFormat) if $nameIDFormat;
|
||||
|
||||
# IDP ProxyRestriction
|
||||
my $allowProxiedAuthn =
|
||||
$self->conf->{samlIDPMetaDataOptions}->{$idpConfKey}
|
||||
my $allowProxiedAuthn = $self->conf->{samlIDPMetaDataOptions}->{$idpConfKey}
|
||||
->{samlIDPMetaDataOptionsAllowProxiedAuthn};
|
||||
|
||||
# IDP HTTP method
|
||||
my $method =
|
||||
$self->conf->{samlIDPMetaDataOptions}->{$idpConfKey}
|
||||
my $method = $self->conf->{samlIDPMetaDataOptions}->{$idpConfKey}
|
||||
->{samlIDPMetaDataOptionsSSOBinding};
|
||||
$method = $self->getHttpMethod($method);
|
||||
|
||||
|
@ -958,21 +931,17 @@ sub extractFormInfo {
|
|||
|
||||
# Failback to HTTP-REDIRECT
|
||||
unless ( defined $method and $method != -1 ) {
|
||||
$self->lmLog( "No method found with IDP $idpConfKey for SSO profile",
|
||||
'debug' );
|
||||
$self->logger->debug(
|
||||
"No method found with IDP $idpConfKey for SSO profile");
|
||||
$method = $self->getHttpMethod("redirect");
|
||||
}
|
||||
|
||||
$self->lmLog(
|
||||
"Use method "
|
||||
$self->logger->debug( "Use method "
|
||||
. $self->getHttpMethodString($method)
|
||||
. " with IDP $idpConfKey for SSO profile",
|
||||
'debug'
|
||||
);
|
||||
. " with IDP $idpConfKey for SSO profile" );
|
||||
|
||||
# Set signature
|
||||
my $signSSOMessage =
|
||||
$self->conf->{samlIDPMetaDataOptions}->{$idpConfKey}
|
||||
my $signSSOMessage = $self->conf->{samlIDPMetaDataOptions}->{$idpConfKey}
|
||||
->{samlIDPMetaDataOptionsSignSSOMessage} // -1;
|
||||
|
||||
# Authentication Context
|
||||
|
@ -991,17 +960,17 @@ sub extractFormInfo {
|
|||
);
|
||||
|
||||
unless ($login) {
|
||||
$self->lmLog( "Could not create authentication request on $idpConfKey",
|
||||
'error' );
|
||||
$self->logger->error(
|
||||
"Could not create authentication request on $idpConfKey");
|
||||
return PE_SAML_SSO_ERROR;
|
||||
}
|
||||
|
||||
$self->lmLog( "Authentication request created", 'debug' );
|
||||
$self->logger->debug("Authentication request created");
|
||||
|
||||
# Keep assertion ID in memory to prevent replay
|
||||
my $samlID = $login->request()->ID;
|
||||
unless ( $self->storeReplayProtection($samlID) ) {
|
||||
$self->lmLog( "Unable to store assertion ID", 'error' );
|
||||
$self->logger->error("Unable to store assertion ID");
|
||||
return PE_SAML_SSO_ERROR;
|
||||
}
|
||||
|
||||
|
@ -1024,8 +993,8 @@ sub extractFormInfo {
|
|||
|
||||
$samlSessionInfo->update($infos);
|
||||
|
||||
$self->lmLog( "Keep initial SAML request data in memory for ID $samlID",
|
||||
'debug' );
|
||||
$self->logger->debug(
|
||||
"Keep initial SAML request data in memory for ID $samlID");
|
||||
}
|
||||
|
||||
# Send SSO request depending on request method
|
||||
|
@ -1036,7 +1005,7 @@ sub extractFormInfo {
|
|||
|
||||
# Redirect user to response URL
|
||||
my $sso_url = $login->msg_url;
|
||||
$self->lmLog( "Redirect user to $sso_url", 'debug' );
|
||||
$self->logger->debug("Redirect user to $sso_url");
|
||||
|
||||
$req->urldc($sso_url);
|
||||
|
||||
|
@ -1089,13 +1058,12 @@ sub setAuthSessionInfo {
|
|||
my $assertion = $self->getAssertion($login);
|
||||
|
||||
unless ($assertion) {
|
||||
$self->lmLog( "No assertion found", 'error' );
|
||||
$self->logger->error("No assertion found");
|
||||
return PE_SAML_SSO_ERROR;
|
||||
}
|
||||
|
||||
# Force UTF-8
|
||||
my $force_utf8 =
|
||||
$self->conf->{samlIDPMetaDataOptions}->{$idpConfKey}
|
||||
my $force_utf8 = $self->conf->{samlIDPMetaDataOptions}->{$idpConfKey}
|
||||
->{samlIDPMetaDataOptionsForceUTF8};
|
||||
|
||||
# Try to get attributes if attribute statement is present in assertion
|
||||
|
@ -1140,7 +1108,7 @@ sub setAuthSessionInfo {
|
|||
};
|
||||
|
||||
if ( $@ or !$sessionNotOnOrAfter ) {
|
||||
$self->lmLog( "No SessionNotOnOrAfter value found", 'debug' );
|
||||
$self->logger->debug("No SessionNotOnOrAfter value found");
|
||||
}
|
||||
else {
|
||||
|
||||
|
@ -1156,9 +1124,8 @@ sub setAuthSessionInfo {
|
|||
# Use SAML time to determine the start of the session
|
||||
my $new_utime = $samltime - $timeout;
|
||||
$req->{sessionInfo}->{_utime} = $new_utime;
|
||||
$self->lmLog(
|
||||
"Adapt _utime with SessionNotOnOrAfter value, new _utime: $new_utime",
|
||||
'debug'
|
||||
$self->logger->debug(
|
||||
"Adapt _utime with SessionNotOnOrAfter value, new _utime: $new_utime"
|
||||
);
|
||||
}
|
||||
|
||||
|
@ -1166,8 +1133,8 @@ sub setAuthSessionInfo {
|
|||
|
||||
# Establish federation (required for attribute request in UserDBSAML)
|
||||
unless ( $self->acceptSSO($login) ) {
|
||||
$self->lmLog( "Error while accepting SSO from IDP $idpConfKey",
|
||||
'error' );
|
||||
$self->userLogger->error(
|
||||
"Error while accepting SSO from IDP $idpConfKey");
|
||||
return PE_SAML_SSO_ERROR;
|
||||
}
|
||||
|
||||
|
@ -1180,15 +1147,14 @@ sub setAuthSessionInfo {
|
|||
$req->{sessionInfo}->{_lassoIdentityDump} = $identity->dump() if $identity;
|
||||
|
||||
# Keep SAML Token in session
|
||||
my $store_samlToken =
|
||||
$self->conf->{samlIDPMetaDataOptions}->{$idpConfKey}
|
||||
my $store_samlToken = $self->conf->{samlIDPMetaDataOptions}->{$idpConfKey}
|
||||
->{samlIDPMetaDataOptionsStoreSAMLToken};
|
||||
if ($store_samlToken) {
|
||||
$self->lmLog( "Store SAML Token in session", 'debug' );
|
||||
$self->logger->debug("Store SAML Token in session");
|
||||
$req->{sessionInfo}->{_samlToken} = $req->datas->{_samlToken};
|
||||
}
|
||||
else {
|
||||
$self->lmLog( "SAML Token will not be stored in session", 'debug' );
|
||||
$self->logger->debug("SAML Token will not be stored in session");
|
||||
}
|
||||
|
||||
$req->datas->{_lassoLogin} = $login;
|
||||
|
@ -1210,12 +1176,9 @@ sub authFinish {
|
|||
my $nameid = $req->datas->{_nameID};
|
||||
my $session_index = $req->datas->{_sessionIndex};
|
||||
|
||||
$self->lmLog(
|
||||
"Store NameID "
|
||||
$self->logger->debug( "Store NameID "
|
||||
. $nameid->dump
|
||||
. " and SessionIndex $session_index for session $id",
|
||||
'debug'
|
||||
);
|
||||
. " and SessionIndex $session_index for session $id" );
|
||||
|
||||
# Save SAML session
|
||||
my $samlSessionInfo = $self->getSamlSession();
|
||||
|
@ -1233,7 +1196,7 @@ sub authFinish {
|
|||
|
||||
my $session_id = $samlSessionInfo->id;
|
||||
|
||||
$self->lmLog( "Link session $id to SAML session $session_id", 'debug' );
|
||||
$self->logger->debug("Link session $id to SAML session $session_id");
|
||||
|
||||
return PE_OK;
|
||||
}
|
||||
|
@ -1253,13 +1216,12 @@ sub authLogout {
|
|||
my $session_dump = $req->{sessionInfo}->{_lassoSessionDump};
|
||||
|
||||
unless ($session_dump) {
|
||||
$self->lmLog( "Could not get session dump from session", 'error' );
|
||||
$self->logger->error("Could not get session dump from session");
|
||||
return PE_SAML_SLO_ERROR;
|
||||
}
|
||||
|
||||
# IDP HTTP method
|
||||
$method =
|
||||
$self->conf->{samlIDPMetaDataOptions}->{$idpConfKey}
|
||||
$method = $self->conf->{samlIDPMetaDataOptions}->{$idpConfKey}
|
||||
->{samlIDPMetaDataOptionsSLOBinding};
|
||||
$method = $self->getHttpMethod($method);
|
||||
|
||||
|
@ -1273,21 +1235,17 @@ sub authLogout {
|
|||
|
||||
# Skip SLO if no method found
|
||||
unless ( defined $method and $method != -1 ) {
|
||||
$self->lmLog( "No method found with IDP $idpConfKey for SLO profile",
|
||||
'debug' );
|
||||
$self->logger->debug(
|
||||
"No method found with IDP $idpConfKey for SLO profile");
|
||||
return PE_OK;
|
||||
}
|
||||
|
||||
$self->lmLog(
|
||||
"Use method "
|
||||
$self->logger->debug( "Use method "
|
||||
. $self->getHttpMethodString($method)
|
||||
. " with IDP $idpConfKey for SLO profile",
|
||||
'debug'
|
||||
);
|
||||
. " with IDP $idpConfKey for SLO profile" );
|
||||
|
||||
# Set signature
|
||||
my $signSLOMessage =
|
||||
$self->conf->{samlIDPMetaDataOptions}->{$idpConfKey}
|
||||
my $signSLOMessage = $self->conf->{samlIDPMetaDataOptions}->{$idpConfKey}
|
||||
->{samlIDPMetaDataOptionsSignSLOMessage} // 0;
|
||||
|
||||
# Build Logout Request
|
||||
|
@ -1295,15 +1253,15 @@ sub authLogout {
|
|||
$self->createLogoutRequest( $req, $self->lassoServer, $session_dump,
|
||||
$method, $signSLOMessage );
|
||||
unless ($logout) {
|
||||
$self->lmLog( "Could not create logout request", 'error' );
|
||||
$self->logger->error("Could not create logout request");
|
||||
return PE_SAML_SLO_ERROR;
|
||||
}
|
||||
|
||||
$self->lmLog( "Logout request created", 'debug' );
|
||||
$self->logger->debug("Logout request created");
|
||||
|
||||
# Keep request ID in memory to prevent replay
|
||||
unless ( $self->storeReplayProtection( $logout->request()->ID ) ) {
|
||||
$self->lmLog( "Unable to store Logout request ID", 'error' );
|
||||
$self->logger->error("Unable to store Logout request ID");
|
||||
return PE_SAML_SLO_ERROR;
|
||||
}
|
||||
|
||||
|
@ -1315,7 +1273,7 @@ sub authLogout {
|
|||
|
||||
# Redirect user to response URL
|
||||
my $slo_url = $logout->msg_url;
|
||||
$self->lmLog( "Redirect user to $slo_url", 'debug' );
|
||||
$self->logger->debug("Redirect user to $slo_url");
|
||||
|
||||
$req->urldc($slo_url);
|
||||
|
||||
|
@ -1331,7 +1289,7 @@ sub authLogout {
|
|||
# Use autosubmit form
|
||||
my $slo_url = $logout->msg_url;
|
||||
my $slo_body = $logout->msg_body;
|
||||
$self->lmLog( "Redirect user to $slo_url using autoPost", 'debug' );
|
||||
$self->logger->debug("Redirect user to $slo_url using autoPost");
|
||||
|
||||
$req->postUrl($slo_url);
|
||||
$req->postFields( { 'SAMLRequest' => $slo_body } );
|
||||
|
@ -1355,7 +1313,7 @@ sub authLogout {
|
|||
my $response = $self->sendSOAPMessage( $slo_url, $slo_body );
|
||||
|
||||
unless ($response) {
|
||||
$self->lmLog( "No logout response to SOAP request", 'error' );
|
||||
$self->logger->error("No logout response to SOAP request");
|
||||
return PE_SAML_SLO_ERROR;
|
||||
}
|
||||
|
||||
|
@ -1366,11 +1324,11 @@ sub authLogout {
|
|||
my $result = $self->processLogoutResponseMsg( $logout, $response );
|
||||
|
||||
unless ($result) {
|
||||
$self->lmLog( "Fail to process logout response", 'error' );
|
||||
$self->logger->error("Fail to process logout response");
|
||||
return PE_SAML_SLO_ERROR;
|
||||
}
|
||||
|
||||
$self->lmLog( "Logout response is valid", 'debug' );
|
||||
$self->logger->debug("Logout response is valid");
|
||||
|
||||
# Replay protection
|
||||
my $samlID = $logout->response()->InResponseTo;
|
||||
|
@ -1378,14 +1336,14 @@ sub authLogout {
|
|||
unless ( $self->replayProtection($samlID) ) {
|
||||
|
||||
# Logout request was already consumed or is expired
|
||||
$self->lmLog( "Message $samlID already used or expired", 'error' );
|
||||
$self->logger->error("Message $samlID already used or expired");
|
||||
return PE_SAML_SLO_ERROR;
|
||||
}
|
||||
|
||||
return PE_OK;
|
||||
}
|
||||
else {
|
||||
$self->lmLog( "Lasso method $method not implemented here", 'error' );
|
||||
$self->logger->error("Lasso method $method not implemented here");
|
||||
return PE_SAML_SLO_ERROR;
|
||||
}
|
||||
}
|
||||
|
@ -1431,10 +1389,8 @@ sub getIDP {
|
|||
my $idpConfKey = $self->idpList->{$_}->{confKey};
|
||||
if ( $idpName eq $idpConfKey ) {
|
||||
$idp = $_;
|
||||
$self->lmLog(
|
||||
"IDP $idp found from idpName URL Parameter ($idpName)",
|
||||
'debug'
|
||||
);
|
||||
$self->logger->debug(
|
||||
"IDP $idp found from idpName URL Parameter ($idpName)");
|
||||
last;
|
||||
}
|
||||
}
|
||||
|
@ -1442,7 +1398,7 @@ sub getIDP {
|
|||
|
||||
# Case 3: Recover IDP from cookie
|
||||
if ( !$idp and $idp = $idp_cookie ) {
|
||||
$self->lmLog( "IDP $idp found in IDP resolution cookie", 'debug' );
|
||||
$self->logger->debug("IDP $idp found in IDP resolution cookie");
|
||||
}
|
||||
|
||||
# Case 4: check all IDP resolution rules
|
||||
|
@ -1450,13 +1406,12 @@ sub getIDP {
|
|||
else {
|
||||
foreach ( keys %{ $self->idpList } ) {
|
||||
my $idpConfKey = $self->idpList->{$_}->{confKey};
|
||||
my $cond =
|
||||
$self->conf->{samlIDPMetaDataOptions}->{$idpConfKey}
|
||||
my $cond = $self->conf->{samlIDPMetaDataOptions}->{$idpConfKey}
|
||||
->{samlIDPMetaDataOptionsResolutionRule};
|
||||
next unless defined $cond;
|
||||
if ( $self->safe->reval($cond) ) {
|
||||
$self->lmLog( "IDP $idpConfKey resolution rule match",
|
||||
'debug' );
|
||||
$self->logger->debug(
|
||||
"IDP $idpConfKey resolution rule match");
|
||||
$idp = $_;
|
||||
last;
|
||||
}
|
||||
|
@ -1468,9 +1423,8 @@ sub getIDP {
|
|||
and $self->conf->{samlCommonDomainCookieActivation}
|
||||
and $self->conf->{samlCommonDomainCookieReader} )
|
||||
{
|
||||
$self->lmLog(
|
||||
"Will try to use Common Domain Cookie for IDP resolution",
|
||||
'debug' );
|
||||
$self->logger->debug(
|
||||
"Will try to use Common Domain Cookie for IDP resolution");
|
||||
|
||||
# Add current URL to CDC Reader URL
|
||||
my $return_url = encode_base64( $self->self_url(), '' );
|
||||
|
@ -1483,7 +1437,7 @@ sub getIDP {
|
|||
: '?url=' . $return_url
|
||||
);
|
||||
|
||||
$self->lmLog( "Redirect user to $cdc_reader_url", 'debug' );
|
||||
$self->logger->debug("Redirect user to $cdc_reader_url");
|
||||
|
||||
$req->urldc($cdc_reader_url);
|
||||
|
||||
|
@ -1491,7 +1445,7 @@ sub getIDP {
|
|||
return PE_REDIRECT;
|
||||
}
|
||||
|
||||
$self->lmLog( 'No IDP found', 'debug' ) unless ($idp);
|
||||
$self->logger->debug('No IDP found') unless ($idp);
|
||||
}
|
||||
|
||||
# Alert when selected IDP is unknown
|
||||
|
|
|
@ -28,8 +28,8 @@ sub extractFormInfo {
|
|||
$user_header =~ s/\-/_/g;
|
||||
|
||||
unless ( $req->{user} = $req->env->{$user_header} ) {
|
||||
$self->lmLog( "No header " . $self->conf->{slaveUserHeader} . " found",
|
||||
'error' );
|
||||
$self->userLogger->error(
|
||||
"No header " . $self->conf->{slaveUserHeader} . " found" );
|
||||
return PE_USERNOTFOUND;
|
||||
}
|
||||
PE_OK;
|
||||
|
|
|
@ -56,7 +56,7 @@ sub extractFormInfo {
|
|||
|
||||
# 1. Request to authenticate
|
||||
unless ( $req->param('twitterback') ) {
|
||||
$self->lmLog( 'Redirection to Twitter', 'debug' );
|
||||
$self->logger->debug('Redirection to Twitter');
|
||||
|
||||
# 1.1 Try to get token to dialog with Twitter
|
||||
my $callback_url = $self->url();
|
||||
|
@ -80,8 +80,7 @@ sub extractFormInfo {
|
|||
# Forward hidden fields
|
||||
if ( exists $req->{portalHiddenFormValues} ) {
|
||||
|
||||
$self->lmLog( "Add hidden values to Twitter redirect URL",
|
||||
'debug' );
|
||||
$self->logger->debug("Add hidden values to Twitter redirect URL");
|
||||
|
||||
foreach ( keys %{ $req->{portalHiddenFormValues} } ) {
|
||||
$callback_url .=
|
||||
|
@ -106,10 +105,10 @@ sub extractFormInfo {
|
|||
|
||||
my $request_url = $request->to_url;
|
||||
|
||||
$self->lmLog( "POST $request_url to Twitter", 'debug' );
|
||||
$self->logger->debug("POST $request_url to Twitter");
|
||||
|
||||
my $res = $self->ua()->post($request_url);
|
||||
$self->lmLog( "Twitter response: " . $res->as_string, 'debug' );
|
||||
$self->logger->debug( "Twitter response: " . $res->as_string );
|
||||
|
||||
if ( $res->is_success ) {
|
||||
my $response = Net::OAuth->response('request token')
|
||||
|
@ -131,8 +130,8 @@ sub extractFormInfo {
|
|||
$self->quit();
|
||||
}
|
||||
else {
|
||||
$self->lmLog( 'Twitter OAuth protocol error: ' . $res->content,
|
||||
'error' );
|
||||
$self->logger->error(
|
||||
'Twitter OAuth protocol error: ' . $res->content );
|
||||
return PE_ERROR;
|
||||
}
|
||||
}
|
||||
|
@ -141,13 +140,12 @@ sub extractFormInfo {
|
|||
my $request_token = $req->param('oauth_token');
|
||||
my $verifier = $req->param('oauth_verifier');
|
||||
unless ( $request_token and $verifier ) {
|
||||
$self->lmLog( 'Twitter OAuth protocol error', 'error' );
|
||||
$self->logger->error('Twitter OAuth protocol error');
|
||||
return PE_ERROR;
|
||||
}
|
||||
|
||||
$self->lmLog(
|
||||
"Get token $request_token and verifier $verifier from Twitter",
|
||||
'debug' );
|
||||
$self->logger->debug(
|
||||
"Get token $request_token and verifier $verifier from Twitter");
|
||||
|
||||
# 2.1 Reconnect to Twitter
|
||||
my $access = Net::OAuth->request("access token")->new(
|
||||
|
@ -166,10 +164,10 @@ sub extractFormInfo {
|
|||
|
||||
my $access_url = $access->to_url;
|
||||
|
||||
$self->lmLog( "POST $access_url to Twitter", 'debug' );
|
||||
$self->logger->debug("POST $access_url to Twitter");
|
||||
|
||||
my $res_access = $self->ua()->post($access_url);
|
||||
$self->lmLog( "Twitter response: " . $res_access->as_string, 'debug' );
|
||||
$self->logger->debug( "Twitter response: " . $res_access->as_string );
|
||||
|
||||
if ( $res_access->is_success ) {
|
||||
my $response = Net::OAuth->response('access token')
|
||||
|
@ -180,23 +178,20 @@ sub extractFormInfo {
|
|||
$req->datas->{_twitterScreenName} =
|
||||
$response->{extra_params}->{screen_name};
|
||||
|
||||
$self->lmLog(
|
||||
"Get user id "
|
||||
$self->logger->debug( "Get user id "
|
||||
. $req->datas->{_twitterUserId}
|
||||
. " and screen name "
|
||||
. $req->datas->{_twitterScreenName},
|
||||
'debug'
|
||||
);
|
||||
. $req->datas->{_twitterScreenName} );
|
||||
}
|
||||
else {
|
||||
$self->lmLog( 'Twitter OAuth protocol error: ' . $res_access->content,
|
||||
'error' );
|
||||
$self->logger->error(
|
||||
'Twitter OAuth protocol error: ' . $res_access->content );
|
||||
return PE_ERROR;
|
||||
}
|
||||
|
||||
# 2.4 Set $req->{user} to screen name
|
||||
$req->user( $req->datas->{_twitterScreenName} );
|
||||
$self->lmLog( "Good Twitter authentication for $req->{user}", 'debug' );
|
||||
$self->logger->debug("Good Twitter authentication for $req->{user}");
|
||||
|
||||
# Force redirection to avoid displaying OAuth datas
|
||||
$req->{mustRedirect} = 1;
|
||||
|
|
|
@ -40,7 +40,7 @@ sub init {
|
|||
}
|
||||
my $re = Regexp::Assemble->new();
|
||||
foreach my $h (@hosts) {
|
||||
$self->lmLog( "Add $h in WebID whitelist", 'debug' );
|
||||
$self->logger->debug("Add $h in WebID whitelist");
|
||||
$h = quotemeta($h);
|
||||
$h =~ s/\\\*/\.\*\?/g;
|
||||
$re->add($h);
|
||||
|
|
|
@ -24,8 +24,8 @@ sub init {
|
|||
unless ($self->conf->{yubikeyClientID}
|
||||
and $self->conf->{yubikeySecretKey} )
|
||||
{
|
||||
$self->lmLog( "Missing mandatory parameters (Client ID and secret key)",
|
||||
'error' );
|
||||
$self->logger->error(
|
||||
"Missing mandatory parameters (Client ID and secret key)");
|
||||
return 0;
|
||||
}
|
||||
$self->conf->{yubikeyPublicIDSize} ||= 12;
|
||||
|
@ -39,7 +39,7 @@ sub extractFormInfo {
|
|||
my $otp = $req->param('yubikeyOTP');
|
||||
return PE_FORMEMPTY unless $otp;
|
||||
|
||||
$self->lmLog( "Received Yubikey OTP $otp", 'debug' );
|
||||
$self->logger->debug("Received Yubikey OTP $otp");
|
||||
|
||||
# Verify OTP
|
||||
my $result = Auth::Yubikey_WebClient::yubikey_webclient(
|
||||
|
|
|
@ -113,7 +113,7 @@ sub extractFormInfo {
|
|||
$self->p->userNotice("Captcha failed: wrong or expired code");
|
||||
return PE_CAPTCHAERROR;
|
||||
}
|
||||
$self->lmLog( "Captcha code verified", 'debug' );
|
||||
$self->logger->debug("Captcha code verified");
|
||||
}
|
||||
elsif ( $self->ott ) {
|
||||
unless ( $self->ott->getToken($token) ) {
|
||||
|
|
|
@ -40,12 +40,9 @@ sub init {
|
|||
}
|
||||
$self->cdc_name( $conf->{samlCommonDomainCookieName} || '_saml_idp' );
|
||||
$self->cdc_domain( $conf->{samlCommonDomainCookieDomain} );
|
||||
$self->lmLog( "[CDC] Cookie name: " . $self->cdc_name, 'debug' );
|
||||
$self->lmLog(
|
||||
"[CDC] Domain name: "
|
||||
. ( $self->cdc_domain ? $self->cdc_domain : '<host name>' ),
|
||||
'debug'
|
||||
);
|
||||
$self->logger->debug( "[CDC] Cookie name: " . $self->cdc_name );
|
||||
$self->logger->debug( "[CDC] Domain name: "
|
||||
. ( $self->cdc_domain ? $self->cdc_domain : '<host name>' ) );
|
||||
|
||||
foreach (qw(httpOnly cookieExpiration oldStyleUrl)) {
|
||||
$self->$_( $conf->{$_} );
|
||||
|
@ -71,7 +68,7 @@ sub handler {
|
|||
# TODO: Control URL
|
||||
#my $control_url = $self->_sub('controlUrlOrigin');
|
||||
#unless ( $control_url == PE_OK ) {
|
||||
# $self->lmLog( "[CDC] Bad URL", 'error' );
|
||||
# $self->logger->error( "[CDC] Bad URL");
|
||||
# return $control_url;
|
||||
#}
|
||||
|
||||
|
@ -81,7 +78,7 @@ sub handler {
|
|||
$cdc_cookie = $cookies{ $self->cdc_name } if %cookies;
|
||||
|
||||
if ($cdc_cookie) {
|
||||
$self->lmLog( "[CDC] Cookie found with value $cdc_cookie", 'debug' );
|
||||
$self->logger->debug("[CDC] Cookie found with value $cdc_cookie");
|
||||
}
|
||||
|
||||
# Write request
|
||||
|
@ -90,7 +87,7 @@ sub handler {
|
|||
# Append IDP to common domain cookie
|
||||
if ( $action eq 'write' ) {
|
||||
|
||||
$self->lmLog( "[CDC] Write request detected", 'debug' );
|
||||
$self->logger->debug("[CDC] Write request detected");
|
||||
|
||||
# Check IDP value
|
||||
unless ($idp) {
|
||||
|
@ -98,7 +95,7 @@ sub handler {
|
|||
}
|
||||
|
||||
# Add IDP value
|
||||
$self->lmLog( "[CDC] Will add IDP $idp to IDP list", 'debug' );
|
||||
$self->logger->debug("[CDC] Will add IDP $idp to IDP list");
|
||||
|
||||
my $encoded_idp = encode_base64( $idp, '' );
|
||||
|
||||
|
@ -109,9 +106,8 @@ sub handler {
|
|||
$cdc_cookie .= ( $cdc_cookie ? " " : "" );
|
||||
$cdc_cookie .= $encoded_idp;
|
||||
|
||||
$self->lmLog(
|
||||
"[CDC] Build cookie $self->{cdc_name} with value $cdc_cookie",
|
||||
'debug' );
|
||||
$self->logger->debug(
|
||||
"[CDC] Build cookie $self->{cdc_name} with value $cdc_cookie");
|
||||
|
||||
# Build cookie
|
||||
$req->addCookie(
|
||||
|
@ -130,15 +126,15 @@ sub handler {
|
|||
|
||||
elsif ( $action eq 'read' ) {
|
||||
|
||||
$self->lmLog( "[CDC] Read request detected", 'debug' );
|
||||
$self->logger->debug("[CDC] Read request detected");
|
||||
|
||||
# Get last IDP from cookie
|
||||
if ($cdc_cookie) {
|
||||
$cdc_idp = decode_base64( ( split /\s+/, $cdc_cookie )[-1] );
|
||||
$self->lmLog( "[CDC] Get value $cdc_idp", 'debug' );
|
||||
$self->logger->debug("[CDC] Get value $cdc_idp");
|
||||
}
|
||||
else {
|
||||
$self->lmLog( "[CDC] No cookie, set a default value", 'debug' );
|
||||
$self->logger->debug("[CDC] No cookie, set a default value");
|
||||
$cdc_idp = 'notfound';
|
||||
}
|
||||
}
|
||||
|
|
|
@ -1,341 +0,0 @@
|
|||
## @file
|
||||
# Display functions for LemonLDAP::NG Portal
|
||||
|
||||
## @class
|
||||
# Display functions for LemonLDAP::NG Portal
|
||||
package Lemonldap::NG::Portal::Display;
|
||||
|
||||
use strict;
|
||||
use Lemonldap::NG::Portal::Simple;
|
||||
use utf8;
|
||||
|
||||
our $VERSION = '2.0.0';
|
||||
|
||||
## @method array display()
|
||||
# Call portal process and set template parameters
|
||||
# @return template name and template parameters
|
||||
sub display {
|
||||
my $self = shift;
|
||||
|
||||
my $skin_dir = $self->getApacheHtdocsPath() . "/skins";
|
||||
my ( $skinfile, %templateParams );
|
||||
my $http_error = $self->param('lmError');
|
||||
|
||||
# 0. Display error page
|
||||
if ($http_error) {
|
||||
|
||||
$skinfile = 'error.tpl';
|
||||
|
||||
# Error code
|
||||
my $error500 = 1 if ( $http_error eq "500" );
|
||||
my $error403 = 1 if ( $http_error eq "403" );
|
||||
my $error503 = 1 if ( $http_error eq "503" );
|
||||
|
||||
# Check URL
|
||||
$self->_sub('controlUrlOrigin');
|
||||
|
||||
# Load session content
|
||||
$self->_sub('controlExistingSession');
|
||||
|
||||
%templateParams = (
|
||||
PORTAL_URL => $self->{portal},
|
||||
LOGOUT_URL => $self->{portal} . "?logout=1",
|
||||
URL => $self->{urldc},
|
||||
ERROR403 => $error403,
|
||||
ERROR500 => $error500,
|
||||
ERROR503 => $error503,
|
||||
);
|
||||
|
||||
}
|
||||
|
||||
# 1. Good authentication
|
||||
elsif ( $self->process() ) {
|
||||
|
||||
# 1.1 Image mode
|
||||
if ( $self->{error} == PE_IMG_OK || $self->{error} == PE_IMG_NOK ) {
|
||||
$skinfile = "$skin_dir/common/"
|
||||
. (
|
||||
$self->{error} == PE_IMG_OK
|
||||
? 'ok.png'
|
||||
: 'warning.png'
|
||||
);
|
||||
$self->printImage( $skinfile, 'image/png' );
|
||||
exit;
|
||||
}
|
||||
|
||||
# 1.2 Case : there is a message to display
|
||||
elsif ( my $info = $self->info() ) {
|
||||
$skinfile = 'info.tpl';
|
||||
%templateParams = (
|
||||
AUTH_ERROR_TYPE => $self->error_type,
|
||||
MSG => $info,
|
||||
URL => $self->{urldc},
|
||||
HIDDEN_INPUTS => $self->buildHiddenForm(),
|
||||
ACTIVE_TIMER => $self->{activeTimer},
|
||||
FORM_METHOD => $self->{infoFormMethod},
|
||||
);
|
||||
}
|
||||
|
||||
# 1.3 Redirection
|
||||
elsif ( $self->{error} == PE_REDIRECT ) {
|
||||
$skinfile = "redirect.tpl";
|
||||
%templateParams = (
|
||||
URL => $self->{urldc},
|
||||
HIDDEN_INPUTS => $self->buildHiddenForm(),
|
||||
FORM_METHOD => $self->{redirectFormMethod},
|
||||
);
|
||||
}
|
||||
|
||||
# 1.4 Case : display menu
|
||||
else {
|
||||
|
||||
# Initialize menu elements
|
||||
$self->_sub('menuInit');
|
||||
|
||||
$skinfile = 'menu.tpl';
|
||||
my $auth_user = $self->{sessionInfo}->{ $self->{portalUserAttr} };
|
||||
utf8::decode($auth_user);
|
||||
|
||||
%templateParams = (
|
||||
AUTH_USER => $auth_user,
|
||||
NEWWINDOW => $self->{portalOpenLinkInNewWindow},
|
||||
AUTH_ERROR => $self->error( $self->{menuError} ),
|
||||
AUTH_ERROR_TYPE => $self->error_type( $self->{menuError} ),
|
||||
DISPLAY_TAB => $self->{menuDisplayTab},
|
||||
LOGOUT_URL => "$ENV{SCRIPT_NAME}?logout=1",
|
||||
REQUIRE_OLDPASSWORD => $self->{portalRequireOldPassword},
|
||||
HIDE_OLDPASSWORD =>
|
||||
0, # Do not hide old password if it is required
|
||||
DISPLAY_MODULES => $self->{menuDisplayModules},
|
||||
APPSLIST_MENU => $self->{menuAppslistMenu}, # For old templates
|
||||
APPSLIST_DESC => $self->{menuAppslistDesc}, # For old templates
|
||||
SCRIPT_NAME => $ENV{SCRIPT_NAME},
|
||||
APPSLIST_ORDER => $self->{sessionInfo}->{'appsListOrder'},
|
||||
PING => $self->{portalPingInterval},
|
||||
);
|
||||
|
||||
}
|
||||
}
|
||||
|
||||
# 2. Authentication not complete
|
||||
|
||||
# 2.1 A notification has to be done (session is created but hidden and unusable
|
||||
# until the user has accept the message)
|
||||
elsif ( my $notif = $self->notification ) {
|
||||
$skinfile = 'notification.tpl';
|
||||
%templateParams = (
|
||||
AUTH_ERROR_TYPE => $self->error_type,
|
||||
NOTIFICATION => $notif,
|
||||
HIDDEN_INPUTS => $self->buildHiddenForm(),
|
||||
AUTH_URL => $self->get_url,
|
||||
CHOICE_PARAM => $self->{authChoiceParam},
|
||||
CHOICE_VALUE => $self->{_authChoice},
|
||||
);
|
||||
}
|
||||
|
||||
# 2.2 An authentication (or userDB) module needs to ask a question
|
||||
# before processing to the request
|
||||
elsif ( $self->{error} == PE_CONFIRM ) {
|
||||
$skinfile = 'confirm.tpl';
|
||||
%templateParams = (
|
||||
AUTH_ERROR => $self->error,
|
||||
AUTH_ERROR_TYPE => $self->error_type,
|
||||
AUTH_URL => $self->get_url,
|
||||
MSG => $self->info(),
|
||||
HIDDEN_INPUTS => $self->buildHiddenForm(),
|
||||
ACTIVE_TIMER => $self->{activeTimer},
|
||||
FORM_METHOD => $self->{confirmFormMethod},
|
||||
CHOICE_PARAM => $self->{authChoiceParam},
|
||||
CHOICE_VALUE => $self->{_authChoice},
|
||||
CHECK_LOGINS => $self->{portalCheckLogins} && $self->{login},
|
||||
ASK_LOGINS => $self->{checkLogins},
|
||||
CONFIRMKEY => $self->stamp(),
|
||||
LIST => $self->{list} || [],
|
||||
REMEMBER => $self->{confirmRemember},
|
||||
);
|
||||
}
|
||||
|
||||
# 2.3 There is a message to display
|
||||
elsif ( my $info = $self->info() ) {
|
||||
$skinfile = 'info.tpl';
|
||||
%templateParams = (
|
||||
AUTH_ERROR => $self->error,
|
||||
AUTH_ERROR_TYPE => $self->error_type,
|
||||
MSG => $info,
|
||||
URL => $self->{urldc},
|
||||
HIDDEN_INPUTS => $self->buildHiddenForm(),
|
||||
ACTIVE_TIMER => $self->{activeTimer},
|
||||
FORM_METHOD => $self->{infoFormMethod},
|
||||
CHOICE_PARAM => $self->{authChoiceParam},
|
||||
CHOICE_VALUE => $self->{_authChoice},
|
||||
);
|
||||
}
|
||||
|
||||
# 2.4 OpenID menu page
|
||||
elsif ($self->{error} == PE_OPENID_EMPTY
|
||||
or $self->{error} == PE_OPENID_BADID )
|
||||
{
|
||||
$skinfile = 'openid.tpl';
|
||||
my $p = $self->{portal} . $self->{issuerDBOpenIDPath};
|
||||
$p =~ s#(?<!:)/\^?/#/#g;
|
||||
%templateParams = (
|
||||
AUTH_ERROR => $self->error,
|
||||
AUTH_ERROR_TYPE => $self->error_type,
|
||||
PROVIDERURI => $p,
|
||||
ID => $self->{_openidPortal}
|
||||
. $self->{sessionInfo}
|
||||
->{ $self->{openIdAttr} || $self->{whatToTrace} },
|
||||
PORTAL_URL => $self->{portal},
|
||||
MSG => $self->info(),
|
||||
);
|
||||
}
|
||||
|
||||
# 2.5 Authentication has been refused OR this is the first access
|
||||
else {
|
||||
$skinfile = 'login.tpl';
|
||||
%templateParams = (
|
||||
AUTH_ERROR => $self->error,
|
||||
AUTH_ERROR_TYPE => $self->error_type,
|
||||
AUTH_URL => $self->get_url,
|
||||
LOGIN => $self->get_user,
|
||||
CHECK_LOGINS => $self->{portalCheckLogins},
|
||||
ASK_LOGINS => $self->{checkLogins},
|
||||
DISPLAY_RESETPASSWORD => $self->{portalDisplayResetPassword},
|
||||
DISPLAY_REGISTER => $self->{portalDisplayRegister},
|
||||
MAIL_URL => $self->{mailUrl},
|
||||
REGISTER_URL => $self->{registerUrl},
|
||||
HIDDEN_INPUTS => $self->buildHiddenForm(),
|
||||
LOGIN_INFO => $self->loginInfo(),
|
||||
);
|
||||
|
||||
# Display captcha if it's enabled
|
||||
if ( $self->{captcha_login_enabled} ) {
|
||||
%templateParams = (
|
||||
%templateParams,
|
||||
CAPTCHA_IMG => $self->{captcha_img},
|
||||
CAPTCHA_CODE => $self->{captcha_code},
|
||||
CAPTCHA_SIZE => $self->{captcha_size}
|
||||
);
|
||||
}
|
||||
|
||||
# Show password form if password policy error
|
||||
if (
|
||||
|
||||
$self->{error} == PE_PP_CHANGE_AFTER_RESET
|
||||
or $self->{error} == PE_PP_MUST_SUPPLY_OLD_PASSWORD
|
||||
or $self->{error} == PE_PP_INSUFFICIENT_PASSWORD_QUALITY
|
||||
or $self->{error} == PE_PP_PASSWORD_TOO_SHORT
|
||||
or $self->{error} == PE_PP_PASSWORD_TOO_YOUNG
|
||||
or $self->{error} == PE_PP_PASSWORD_IN_HISTORY
|
||||
or $self->{error} == PE_PASSWORD_MISMATCH
|
||||
or $self->{error} == PE_BADOLDPASSWORD
|
||||
or $self->{error} == PE_PASSWORDFORMEMPTY
|
||||
or ( $self->{error} == PE_PP_PASSWORD_EXPIRED
|
||||
and $self->{ldapAllowResetExpiredPassword} )
|
||||
)
|
||||
{
|
||||
%templateParams = (
|
||||
%templateParams,
|
||||
REQUIRE_OLDPASSWORD =>
|
||||
1, # Old password is required to check user credentials
|
||||
DISPLAY_FORM => 0,
|
||||
DISPLAY_OPENID_FORM => 0,
|
||||
DISPLAY_YUBIKEY_FORM => 0,
|
||||
DISPLAY_PASSWORD => 1,
|
||||
DISPLAY_RESETPASSWORD => 0,
|
||||
AUTH_LOOP => [],
|
||||
CHOICE_PARAM => $self->{authChoiceParam},
|
||||
CHOICE_VALUE => $self->{_authChoice},
|
||||
OLDPASSWORD =>
|
||||
$self->checkXSSAttack( 'oldpassword', $self->{oldpassword} )
|
||||
? ""
|
||||
: $self->{oldpassword},
|
||||
HIDE_OLDPASSWORD => $self->{hideOldPassword},
|
||||
);
|
||||
}
|
||||
|
||||
# Disable all forms on:
|
||||
# * Logout message
|
||||
# * Bad URL error
|
||||
elsif ($self->{error} == PE_LOGOUT_OK
|
||||
or $self->{error} == PE_BADURL )
|
||||
{
|
||||
%templateParams = (
|
||||
%templateParams,
|
||||
DISPLAY_RESETPASSWORD => 0,
|
||||
DISPLAY_FORM => 0,
|
||||
DISPLAY_OPENID_FORM => 0,
|
||||
DISPLAY_YUBIKEY_FORM => 0,
|
||||
AUTH_LOOP => [],
|
||||
PORTAL_URL => $self->{portal},
|
||||
MSG => $self->info(),
|
||||
);
|
||||
|
||||
}
|
||||
|
||||
# Display authentifcation form
|
||||
else {
|
||||
|
||||
# Authentication loop
|
||||
if ( $self->{authLoop} ) {
|
||||
%templateParams = (
|
||||
%templateParams,
|
||||
AUTH_LOOP => $self->{authLoop},
|
||||
CHOICE_PARAM => $self->{authChoiceParam},
|
||||
CHOICE_VALUE => $self->{_authChoice},
|
||||
DISPLAY_FORM => 0,
|
||||
DISPLAY_OPENID_FORM => 0,
|
||||
DISPLAY_YUBIKEY_FORM => 0,
|
||||
);
|
||||
}
|
||||
|
||||
# Choose what form to display if not in a loop
|
||||
else {
|
||||
|
||||
my $displayType = $self->getDisplayType();
|
||||
|
||||
$self->lmLog( "Display type $displayType ", 'debug' );
|
||||
|
||||
%templateParams = (
|
||||
%templateParams,
|
||||
DISPLAY_FORM => $displayType eq "standardform" ? 1 : 0,
|
||||
DISPLAY_OPENID_FORM => $displayType eq "openidform" ? 1 : 0,
|
||||
DISPLAY_YUBIKEY_FORM => $displayType eq "yubikeyform" ? 1
|
||||
: 0,
|
||||
DISPLAY_LOGO_FORM => $displayType eq "logo" ? 1 : 0,
|
||||
module => $displayType eq "logo" ? $self->get_module('auth')
|
||||
: "",
|
||||
AUTH_LOOP => [],
|
||||
PORTAL_URL => $displayType eq "logo" ? $self->{portal} : 0,
|
||||
MSG => $self->info(),
|
||||
);
|
||||
|
||||
}
|
||||
|
||||
}
|
||||
|
||||
}
|
||||
|
||||
## Common template params
|
||||
my $skin = $self->getSkin();
|
||||
my $portalPath = $self->{portal};
|
||||
$portalPath =~ s#^https?://[^/]+/?#/#;
|
||||
$portalPath =~ s#[^/]+\.fcgi$##;
|
||||
%templateParams = (
|
||||
%templateParams,
|
||||
SKIN_PATH => $portalPath . "skins",
|
||||
SKIN => $skin,
|
||||
ANTIFRAME => $self->{portalAntiFrame},
|
||||
SKIN_BG => $self->{portalSkinBackground},
|
||||
);
|
||||
|
||||
## Custom template params
|
||||
if ( my $customParams = $self->getCustomTemplateParameters() ) {
|
||||
%templateParams = ( %templateParams, %$customParams );
|
||||
}
|
||||
|
||||
return ( "$skin_dir/$skin/$skinfile", %templateParams );
|
||||
|
||||
}
|
||||
|
||||
1;
|
|
@ -61,7 +61,7 @@ sub run {
|
|||
# 1. LOGIN
|
||||
if ( $target eq $cas_login ) {
|
||||
|
||||
$self->lmLog( "URL $url detected as an CAS LOGIN URL", 'debug' );
|
||||
$self->logger->debug("URL $url detected as an CAS LOGIN URL");
|
||||
|
||||
# GET parameters
|
||||
my $service = $self->p->getHiddenFormValue( $req, 'service' )
|
||||
|
@ -76,7 +76,7 @@ sub run {
|
|||
if ( $renew and $renew eq 'true' ) {
|
||||
|
||||
# Authentication must be replayed
|
||||
$self->lmLog( "Authentication renew requested", 'debug' );
|
||||
$self->logger->debug("Authentication renew requested");
|
||||
$self->{updateSession} = 1;
|
||||
$req->steps(
|
||||
[
|
||||
|
@ -92,7 +92,7 @@ sub run {
|
|||
|
||||
# If no service defined, exit
|
||||
unless ( defined $service ) {
|
||||
$self->lmLog( "No service defined in CAS URL", 'debug' );
|
||||
$self->logger->debug("No service defined in CAS URL");
|
||||
return PE_OK;
|
||||
}
|
||||
|
||||
|
@ -100,36 +100,34 @@ sub run {
|
|||
my $casAccessControlPolicy = $self->conf->{casAccessControlPolicy};
|
||||
|
||||
if ( $casAccessControlPolicy =~ /^(error|faketicket)$/i ) {
|
||||
$self->lmLog( "CAS access control requested on service $service",
|
||||
'debug' );
|
||||
$self->logger->debug(
|
||||
"CAS access control requested on service $service");
|
||||
|
||||
## HERE
|
||||
unless ( $service =~ m#^https?://([^/]+)(/.*)?$# ) {
|
||||
$self->lmLog( "Bad service $service", 'error' );
|
||||
$self->logger->error("Bad service $service");
|
||||
return PE_ERROR;
|
||||
}
|
||||
my ( $host, $uri ) = ( $1, $2 );
|
||||
if ( $self->p->HANDLER->grant( $req->sessionInfo, $1, undef, $2 ) )
|
||||
{
|
||||
$self->lmLog( "CAS service $service access allowed", 'debug' );
|
||||
$self->logger->debug("CAS service $service access allowed");
|
||||
}
|
||||
|
||||
else {
|
||||
$self->lmLog( "CAS service $service access not allowed",
|
||||
'error' );
|
||||
$self->userLogger->error(
|
||||
"CAS service $service access not allowed");
|
||||
|
||||
if ( $casAccessControlPolicy =~ /^(error)$/i ) {
|
||||
$self->lmLog(
|
||||
"Return error instead of redirecting user on CAS service",
|
||||
'debug'
|
||||
$self->logger->debug(
|
||||
"Return error instead of redirecting user on CAS service"
|
||||
);
|
||||
return PE_CAS_SERVICE_NOT_ALLOWED;
|
||||
}
|
||||
|
||||
else {
|
||||
$self->lmLog(
|
||||
"Redirect user on CAS service with a fake ticket",
|
||||
'debug' );
|
||||
$self->logger->debug(
|
||||
"Redirect user on CAS service with a fake ticket");
|
||||
$casServiceTicket = "ST-F4K3T1CK3T";
|
||||
}
|
||||
}
|
||||
|
@ -145,21 +143,20 @@ sub run {
|
|||
time() - $last_authn_utime <
|
||||
$self->conf->{portalForceAuthnInterval} )
|
||||
{
|
||||
$self->lmLog(
|
||||
"Authentication is recent, will set CAS renew flag to true",
|
||||
'debug'
|
||||
$self->logger->debug(
|
||||
"Authentication is recent, will set CAS renew flag to true"
|
||||
);
|
||||
$casRenewFlag = 1;
|
||||
}
|
||||
|
||||
# Create a service ticket
|
||||
$self->lmLog( "Create a CAS service ticket for service $service",
|
||||
'debug' );
|
||||
$self->logger->debug(
|
||||
"Create a CAS service ticket for service $service");
|
||||
|
||||
my $casServiceSession = $self->getCasSession();
|
||||
|
||||
unless ($casServiceSession) {
|
||||
$self->lmLog( "Unable to create CAS session", 'error' );
|
||||
$self->logger->error("Unable to create CAS session");
|
||||
return PE_ERROR;
|
||||
}
|
||||
|
||||
|
@ -175,8 +172,8 @@ sub run {
|
|||
my $casServiceSessionID = $casServiceSession->id;
|
||||
$casServiceTicket = "ST-" . $casServiceSessionID;
|
||||
|
||||
$self->lmLog( "CAS service session $casServiceSessionID created",
|
||||
'debug' );
|
||||
$self->logger->debug(
|
||||
"CAS service session $casServiceSessionID created");
|
||||
}
|
||||
|
||||
# Redirect to service
|
||||
|
@ -187,7 +184,7 @@ sub run {
|
|||
: '?ticket=' . $casServiceTicket
|
||||
);
|
||||
|
||||
$self->lmLog( "Redirect user to $service_url", 'debug' );
|
||||
$self->logger->debug("Redirect user to $service_url");
|
||||
|
||||
$req->{urldc} = $service_url;
|
||||
|
||||
|
@ -198,7 +195,7 @@ sub run {
|
|||
# 2. LOGOUT
|
||||
if ( $target eq $cas_logout ) {
|
||||
|
||||
$self->lmLog( "URL $url detected as an CAS LOGOUT URL", 'debug' );
|
||||
$self->logger->debug("URL $url detected as an CAS LOGOUT URL");
|
||||
|
||||
# Disable Content-Security-Policy header since logout can be embedded
|
||||
# in a frame
|
||||
|
@ -213,14 +210,14 @@ sub run {
|
|||
# Delete local session
|
||||
if ( my $session = $self->p->getApacheSession($session_id) ) {
|
||||
unless ( $self->p->_deleteSession( $req, $session ) ) {
|
||||
$self->lmLog( "Fail to delete session $session_id ", 'error' );
|
||||
$self->logger->error("Fail to delete session $session_id ");
|
||||
}
|
||||
|
||||
if ($logout_url) {
|
||||
|
||||
# Display a link to the provided URL
|
||||
$self->lmLog( "Logout URL $logout_url will be displayed",
|
||||
'debug' );
|
||||
$self->logger->debug(
|
||||
"Logout URL $logout_url will be displayed");
|
||||
|
||||
$req->info(
|
||||
'<h3 trmsg="back2CasUrl">The application you just logged out of has provided a link it would like you to follow</h3>'
|
||||
|
@ -232,7 +229,7 @@ sub run {
|
|||
}
|
||||
}
|
||||
else {
|
||||
$self->lmLog( "Unknown session $session_id", 'info' );
|
||||
$self->logger->info("Unknown session $session_id");
|
||||
}
|
||||
|
||||
return PE_LOGOUT_OK;
|
||||
|
@ -242,12 +239,11 @@ sub run {
|
|||
# 3. VALIDATE [CAS 1.0]
|
||||
if ( $target eq $cas_validate ) {
|
||||
|
||||
$self->lmLog( "URL $url detected as an CAS VALIDATE URL", 'debug' );
|
||||
$self->logger->debug("URL $url detected as an CAS VALIDATE URL");
|
||||
|
||||
# This URL must not be called by authenticated users
|
||||
$self->lmLog(
|
||||
"CAS VALIDATE URL called by authenticated user, ignore it",
|
||||
'info' );
|
||||
$self->userLogger->info(
|
||||
"CAS VALIDATE URL called by authenticated user, ignore it");
|
||||
|
||||
return PE_OK;
|
||||
}
|
||||
|
@ -255,14 +251,12 @@ sub run {
|
|||
# 4. SERVICE VALIDATE [CAS 2.0]
|
||||
if ( $target eq $cas_serviceValidate ) {
|
||||
|
||||
$self->lmLog( "URL $url detected as an CAS SERVICE VALIDATE URL",
|
||||
'debug' );
|
||||
$self->logger->debug(
|
||||
"URL $url detected as an CAS SERVICE VALIDATE URL");
|
||||
|
||||
# This URL must not be called by authenticated users
|
||||
$self->lmLog(
|
||||
"CAS SERVICE VALIDATE URL called by authenticated user, ignore it",
|
||||
'info'
|
||||
);
|
||||
$self->userLogger->info(
|
||||
"CAS SERVICE VALIDATE URL called by authenticated user, ignore it");
|
||||
|
||||
return PE_OK;
|
||||
}
|
||||
|
@ -270,13 +264,11 @@ sub run {
|
|||
# 5. PROXY VALIDATE [CAS 2.0]
|
||||
if ( $target eq $cas_proxyValidate ) {
|
||||
|
||||
$self->lmLog( "URL $url detected as an CAS PROXY VALIDATE URL",
|
||||
'debug' );
|
||||
$self->logger->debug("URL $url detected as an CAS PROXY VALIDATE URL");
|
||||
|
||||
# This URL must not be called by authenticated users
|
||||
$self->lmLog(
|
||||
"CAS PROXY VALIDATE URL called by authenticated user, ignore it",
|
||||
'info' );
|
||||
$self->userLogger->info(
|
||||
"CAS PROXY VALIDATE URL called by authenticated user, ignore it");
|
||||
|
||||
return PE_OK;
|
||||
}
|
||||
|
@ -284,11 +276,11 @@ sub run {
|
|||
# 6. PROXY [CAS 2.0]
|
||||
if ( $target eq $cas_proxy ) {
|
||||
|
||||
$self->lmLog( "URL $url detected as an CAS PROXY URL", 'debug' );
|
||||
$self->logger->debug("URL $url detected as an CAS PROXY URL");
|
||||
|
||||
# This URL must not be called by authenticated users
|
||||
$self->lmLog( "CAS PROXY URL called by authenticated user, ignore it",
|
||||
'info' );
|
||||
$self->userLogger->info(
|
||||
"CAS PROXY URL called by authenticated user, ignore it");
|
||||
|
||||
return PE_OK;
|
||||
}
|
||||
|
@ -312,8 +304,8 @@ sub logout {
|
|||
|
||||
sub validate {
|
||||
my ( $self, $req ) = @_;
|
||||
$self->lmLog( 'URL ' . $req->uri . ' detected as an CAS VALIDATE URL',
|
||||
'debug' );
|
||||
$self->logger->debug(
|
||||
'URL ' . $req->uri . ' detected as an CAS VALIDATE URL' );
|
||||
|
||||
# GET parameters
|
||||
my $service = $req->param('service');
|
||||
|
@ -322,27 +314,26 @@ sub validate {
|
|||
|
||||
# Required parameters: service and ticket
|
||||
unless ( $service and $ticket ) {
|
||||
$self->lmLog( "Service and Ticket parameters required", 'error' );
|
||||
$self->logger->error("Service and Ticket parameters required");
|
||||
return $self->returnCasValidateError();
|
||||
}
|
||||
|
||||
$self->lmLog(
|
||||
"Get validate request with ticket $ticket for service $service",
|
||||
'debug' );
|
||||
$self->logger->debug(
|
||||
"Get validate request with ticket $ticket for service $service");
|
||||
|
||||
unless ( $ticket =~ s/^ST-// ) {
|
||||
$self->lmLog( "Provided ticket is not a service ticket (ST)", 'error' );
|
||||
$self->logger->error("Provided ticket is not a service ticket (ST)");
|
||||
return $self->returnCasValidateError();
|
||||
}
|
||||
|
||||
my $casServiceSession = $self->getCasSession($ticket);
|
||||
|
||||
unless ($casServiceSession) {
|
||||
$self->lmLog( "Service ticket session $ticket not found", 'error' );
|
||||
$self->logger->error("Service ticket session $ticket not found");
|
||||
return $self->returnCasValidateError();
|
||||
}
|
||||
|
||||
$self->lmLog( "Service ticket session $ticket found", 'debug' );
|
||||
$self->logger->debug("Service ticket session $ticket found");
|
||||
|
||||
my $service1_uri = URI->new($service);
|
||||
my $service2_uri = URI->new( $casServiceSession->data->{service} );
|
||||
|
@ -354,38 +345,32 @@ sub validate {
|
|||
if ( $service1_uri->rel($service2_uri) eq "./"
|
||||
or $service2_uri->rel($service1_uri) eq "./" )
|
||||
{
|
||||
$self->lmLog(
|
||||
$self->logger->notice(
|
||||
"Submitted service $service1_uri does not exactly match initial service "
|
||||
. $service2_uri
|
||||
. ' but difference is tolerated.',
|
||||
'warn'
|
||||
);
|
||||
. ' but difference is tolerated.' );
|
||||
}
|
||||
else {
|
||||
$self->lmLog(
|
||||
$self->logger->error(
|
||||
"Submitted service $service does not match initial service "
|
||||
. $casServiceSession->data->{service},
|
||||
'error'
|
||||
);
|
||||
. $casServiceSession->data->{service} );
|
||||
$self->deleteCasSession($casServiceSession);
|
||||
return $self->returnCasValidateError();
|
||||
}
|
||||
}
|
||||
else {
|
||||
$self->lmLog( "Submitted service $service math initial servce",
|
||||
'debug' );
|
||||
$self->logger->debug("Submitted service $service math initial servce");
|
||||
}
|
||||
|
||||
# Check renew
|
||||
if ( $renew and $renew eq 'true' ) {
|
||||
|
||||
# We should check the ST was delivered with primary credentials
|
||||
$self->lmLog( "Renew flag detected ", 'debug' );
|
||||
$self->logger->debug("Renew flag detected ");
|
||||
|
||||
unless ( $casServiceSession->data->{renew} ) {
|
||||
$self->lmLog(
|
||||
"Authentication renew requested, but not done in former authentication process",
|
||||
'error'
|
||||
$self->logger->error(
|
||||
"Authentication renew requested, but not done in former authentication process"
|
||||
);
|
||||
$self->deleteCasSession($casServiceSession);
|
||||
return $self->returnCasValidateError();
|
||||
|
@ -397,12 +382,9 @@ sub validate {
|
|||
$self->p->getApacheSession( $casServiceSession->data->{_cas_id} );
|
||||
|
||||
unless ($localSession) {
|
||||
$self->lmLog(
|
||||
"Local session "
|
||||
$self->logger->warn( "Local session "
|
||||
. $casServiceSession->data->{_cas_id}
|
||||
. " notfound",
|
||||
'error'
|
||||
);
|
||||
. " notfound" );
|
||||
$self->deleteCasSession($casServiceSession);
|
||||
return $self->returnCasValidateError();
|
||||
}
|
||||
|
@ -412,7 +394,7 @@ sub validate {
|
|||
$localSession->data->{ $self->conf->{casAttr}
|
||||
|| $self->conf->{whatToTrace} };
|
||||
|
||||
$self->lmLog( "Get username $username", 'debug' );
|
||||
$self->logger->debug("Get username $username");
|
||||
|
||||
# Return success message
|
||||
$self->deleteCasSession($casServiceSession);
|
||||
|
@ -437,9 +419,8 @@ sub proxyValidate {
|
|||
|
||||
sub _validate2 {
|
||||
my ( $self, $urlType, $req ) = @_;
|
||||
$self->lmLog(
|
||||
'URL ' . $req->uri . " detected as an CAS $urlType VALIDATE URL",
|
||||
'debug' );
|
||||
$self->logger->debug(
|
||||
'URL ' . $req->uri . " detected as an CAS $urlType VALIDATE URL" );
|
||||
|
||||
# GET parameters
|
||||
my $service = $req->param('service');
|
||||
|
@ -452,27 +433,24 @@ sub _validate2 {
|
|||
|
||||
# Required parameters: service and ticket
|
||||
unless ( $service and $ticket ) {
|
||||
$self->lmLog( "Service and Ticket parameters required", 'error' );
|
||||
$self->logger->error("Service and Ticket parameters required");
|
||||
return $self->returnCasServiceValidateError( 'INVALID_REQUEST',
|
||||
'Missing mandatory parameters (service, ticket)' );
|
||||
}
|
||||
|
||||
$self->lmLog(
|
||||
"Get "
|
||||
$self->logger->debug( "Get "
|
||||
. lc($urlType)
|
||||
. " validate request with ticket $ticket for service $service",
|
||||
'debug'
|
||||
);
|
||||
. " validate request with ticket $ticket for service $service" );
|
||||
|
||||
# Get CAS session corresponding to ticket
|
||||
if ( $urlType eq 'SERVICE' and !( $ticket =~ s/^ST-// ) ) {
|
||||
$self->lmLog( "Provided ticket is not a service ticket (ST)", 'error' );
|
||||
$self->logger->error("Provided ticket is not a service ticket (ST)");
|
||||
return $self->returnCasServiceValidateError( 'INVALID_TICKET',
|
||||
'Provided ticket is not a service ticket' );
|
||||
}
|
||||
elsif ( $urlType eq 'PROXY' and !( $ticket =~ s/^(P|S)T-// ) ) {
|
||||
$self->lmLog( "Provided ticket is not a service or proxy ticket ($1T)",
|
||||
'error' );
|
||||
$self->userLogger->error(
|
||||
"Provided ticket is not a service or proxy ticket ($1T)");
|
||||
return $self->returnCasServiceValidateError( 'INVALID_TICKET',
|
||||
'Provided ticket is not a service or proxy ticket' );
|
||||
}
|
||||
|
@ -480,12 +458,12 @@ sub _validate2 {
|
|||
my $casServiceSession = $self->getCasSession($ticket);
|
||||
|
||||
unless ($casServiceSession) {
|
||||
$self->lmLog( "$urlType ticket session $ticket not found", 'error' );
|
||||
$self->logger->error("$urlType ticket session $ticket not found");
|
||||
return $self->returnCasServiceValidateError( 'INVALID_TICKET',
|
||||
'Ticket not found' );
|
||||
}
|
||||
|
||||
$self->lmLog( "$urlType ticket session $ticket found", 'debug' );
|
||||
$self->logger->debug("$urlType ticket session $ticket found");
|
||||
|
||||
my $service1_uri = URI->new($service);
|
||||
my $service2_uri = URI->new( $casServiceSession->data->{service} );
|
||||
|
@ -497,39 +475,34 @@ sub _validate2 {
|
|||
if ( $service1_uri->rel($service2_uri) eq "./"
|
||||
or $service2_uri->rel($service1_uri) eq "./" )
|
||||
{
|
||||
$self->lmLog(
|
||||
$self->logger->notice(
|
||||
"Submitted service $service1_uri does not exactly match initial service "
|
||||
. $service2_uri
|
||||
. ' but difference is tolerated.',
|
||||
'warn'
|
||||
);
|
||||
. ' but difference is tolerated.' );
|
||||
}
|
||||
else {
|
||||
$self->lmLog(
|
||||
$self->userLogger->error(
|
||||
"Submitted service $service does not match initial service "
|
||||
. $casServiceSession->data->{service},
|
||||
'error'
|
||||
);
|
||||
. $casServiceSession->data->{service} );
|
||||
$self->deleteCasSession($casServiceSession);
|
||||
return $self->returnCasServiceValidateError( 'INVALID_SERVICE',
|
||||
'Submitted service does not match initial service' );
|
||||
}
|
||||
}
|
||||
else {
|
||||
$self->lmLog( "Submitted service $service match initial service",
|
||||
'debug' );
|
||||
$self->logger->debug(
|
||||
"Submitted service $service match initial service");
|
||||
}
|
||||
|
||||
# Check renew
|
||||
if ( $renew and $renew eq 'true' ) {
|
||||
|
||||
# We should check the ST was delivered with primary credentials
|
||||
$self->lmLog( "Renew flag detected ", 'debug' );
|
||||
$self->logger->debug("Renew flag detected ");
|
||||
|
||||
unless ( $casServiceSession->data->{renew} ) {
|
||||
$self->lmLog(
|
||||
"Authentication renew requested, but not done in former authentication process",
|
||||
'error'
|
||||
$self->logger->error(
|
||||
"Authentication renew requested, but not done in former authentication process"
|
||||
);
|
||||
$self->deleteCasSession($casServiceSession);
|
||||
return $self->returnCasValidateError();
|
||||
|
@ -544,8 +517,8 @@ sub _validate2 {
|
|||
if ($pgtUrl) {
|
||||
|
||||
# Create a proxy granting ticket
|
||||
$self->lmLog( "Create a CAS proxy granting ticket for service $service",
|
||||
'debug' );
|
||||
$self->logger->debug(
|
||||
"Create a CAS proxy granting ticket for service $service");
|
||||
|
||||
my $casProxyGrantingSession = $self->getCasSession();
|
||||
|
||||
|
@ -571,9 +544,8 @@ sub _validate2 {
|
|||
|
||||
$casProxyGrantingSession->update($PGinfos);
|
||||
|
||||
$self->lmLog(
|
||||
"CAS proxy granting session $casProxyGrantingSessionID created",
|
||||
'debug'
|
||||
$self->logger->debug(
|
||||
"CAS proxy granting session $casProxyGrantingSessionID created"
|
||||
);
|
||||
|
||||
# Generate the proxy granting ticket IOU
|
||||
|
@ -583,9 +555,8 @@ sub _validate2 {
|
|||
|
||||
$casProxyGrantingTicketIOU = "PGTIOU-" . $tmpCasSession->id;
|
||||
$self->deleteCasSession($tmpCasSession);
|
||||
$self->lmLog(
|
||||
"Generate proxy granting ticket IOU $casProxyGrantingTicketIOU",
|
||||
'debug'
|
||||
$self->logger->debug(
|
||||
"Generate proxy granting ticket IOU $casProxyGrantingTicketIOU"
|
||||
);
|
||||
|
||||
# Request pgtUrl
|
||||
|
@ -596,22 +567,20 @@ sub _validate2 {
|
|||
)
|
||||
)
|
||||
{
|
||||
$self->lmLog(
|
||||
"Proxy granting URL $pgtUrl called with success",
|
||||
'debug' );
|
||||
$self->logger->debug(
|
||||
"Proxy granting URL $pgtUrl called with success");
|
||||
}
|
||||
else {
|
||||
$self->lmLog( "Error calling proxy granting URL $pgtUrl",
|
||||
'warn' );
|
||||
$self->logger->error(
|
||||
"Error calling proxy granting URL $pgtUrl");
|
||||
$casProxyGrantingTicketIOU = undef;
|
||||
}
|
||||
}
|
||||
|
||||
}
|
||||
else {
|
||||
$self->lmLog(
|
||||
"Error in proxy granting ticket management, bypass it",
|
||||
'warn' );
|
||||
$self->logger->warn(
|
||||
"Error in proxy granting ticket management, bypass it");
|
||||
}
|
||||
}
|
||||
|
||||
|
@ -620,12 +589,9 @@ sub _validate2 {
|
|||
$self->p->getApacheSession( $casServiceSession->data->{_cas_id} );
|
||||
|
||||
unless ($localSession) {
|
||||
$self->lmLog(
|
||||
"Local session "
|
||||
$self->userLogger->error( "Local session "
|
||||
. $casServiceSession->data->{_cas_id}
|
||||
. " notfound",
|
||||
'error'
|
||||
);
|
||||
. " notfound" );
|
||||
$self->deleteCasSession($casServiceSession);
|
||||
return $self->returnCasServiceValidateError( 'INTERNAL_ERROR',
|
||||
'No session associated to ticket' );
|
||||
|
@ -636,7 +602,7 @@ sub _validate2 {
|
|||
$localSession->data->{ $self->conf->{casAttr}
|
||||
|| $self->conf->{whatToTrace} };
|
||||
|
||||
$self->lmLog( "Get username $username", 'debug' );
|
||||
$self->logger->debug("Get username $username");
|
||||
|
||||
# Get attributes [CAS 3.0]
|
||||
my $attributes = {};
|
||||
|
|
|
@ -22,19 +22,19 @@ sub run {
|
|||
$req->path =~ m#^$self->{conf}->{issuerDBGetPath}/(log(?:in|out))#;
|
||||
my $logInOut = $1 || 'login';
|
||||
if ( $logInOut eq 'login' ) {
|
||||
$self->lmLog( "IssuerGet: request for login", 'debug' );
|
||||
$self->logger->debug("IssuerGet: request for login");
|
||||
$self->computeGetParams($req);
|
||||
return PE_OK;
|
||||
}
|
||||
elsif ( $logInOut eq 'logout' ) {
|
||||
$self->lmLog( "IssuerGet: request for logout", 'debug' );
|
||||
$self->logger->debug("IssuerGet: request for logout");
|
||||
|
||||
# TODO
|
||||
# Display a link to the provided URL
|
||||
return PE_OK;
|
||||
}
|
||||
else {
|
||||
$self->lmLog( "IssuerGet: bad url", 'error' );
|
||||
$self->logger->error("IssuerGet: bad url");
|
||||
return PE_BADURL;
|
||||
}
|
||||
}
|
||||
|
@ -53,21 +53,21 @@ sub computeGetParams {
|
|||
my @getPrms;
|
||||
if ( exists $self->conf->{issuerDBGetParameters} ) {
|
||||
unless ( $req->urldc =~ m#^https?://([^/]+)# ) {
|
||||
$self->lmLog( "Malformed url $req->urldc", 'error' );
|
||||
$self->logger->error("Malformed url $req->urldc");
|
||||
return;
|
||||
}
|
||||
my $vhost = $1;
|
||||
my $prms = $self->conf->{issuerDBGetParameters}->{$vhost};
|
||||
unless ($prms) {
|
||||
$self->lmLog( "IssuerGet: $vhost has no configuration", 'warn' );
|
||||
$self->logger->warn("IssuerGet: $vhost has no configuration");
|
||||
return '';
|
||||
}
|
||||
foreach my $param ( keys %$prms ) {
|
||||
my $value =
|
||||
eval { uri_escape( $req->{sessionInfo}->{ $prms->{$param} } ) };
|
||||
if ($@) {
|
||||
$self->lmLog( "IssuerGet: unable to compute $param ($@)",
|
||||
'error' );
|
||||
$self->logger->error(
|
||||
"IssuerGet: unable to compute $param ($@)");
|
||||
return;
|
||||
}
|
||||
$value =~ s/[\r\n\t]//;
|
||||
|
@ -75,7 +75,7 @@ sub computeGetParams {
|
|||
}
|
||||
}
|
||||
else {
|
||||
$self->lmLog( "IssuerGet: no configuration", 'warn' );
|
||||
$self->logger->warn("IssuerGet: no configuration");
|
||||
return;
|
||||
}
|
||||
my $getVars = join '&', @getPrms;
|
||||
|
|
|
@ -72,7 +72,7 @@ sub forUnauthUser {
|
|||
my ( $self, $req ) = @_;
|
||||
my $mode = $req->param('openid.mode');
|
||||
unless ($mode) {
|
||||
$self->lmLog( 'OpenID SP test', 'debug' );
|
||||
$self->logger->debug('OpenID SP test');
|
||||
return PE_OPENID_EMPTY;
|
||||
}
|
||||
if ( $mode eq 'associate' ) {
|
||||
|
@ -91,14 +91,13 @@ sub run {
|
|||
my $mode = $req->param('openid.mode');
|
||||
|
||||
unless ($mode) {
|
||||
$self->lmLog( 'OpenID SP test', 'debug' );
|
||||
$self->logger->debug('OpenID SP test');
|
||||
return PE_OPENID_EMPTY;
|
||||
}
|
||||
|
||||
unless ( $mode =~ /^checkid_(?:immediate|setup)/ ) {
|
||||
$self->lmLog(
|
||||
"OpenID error : $mode is not known at this step (issuerForAuthUser)",
|
||||
'error'
|
||||
$self->logger->error(
|
||||
"OpenID error : $mode is not known at this step (issuerForAuthUser)"
|
||||
);
|
||||
return PE_ERROR;
|
||||
}
|
||||
|
@ -149,13 +148,13 @@ sub openIDServer {
|
|||
my $tmp = $trust_root;
|
||||
$tmp =~ s#^http://(.*?)/#$1#;
|
||||
if ( $tmp =~ $self->spList xor $self->listIsWhite ) {
|
||||
$self->lmLog( "$trust_root is forbidden for openID exchange",
|
||||
'warn' );
|
||||
$self->userLogger->warn(
|
||||
"$trust_root is forbidden for openID exchange");
|
||||
$req->datas->{_openIdForbidden} = 1;
|
||||
return 0;
|
||||
}
|
||||
elsif ( $req->{sessionInfo}->{"_openidTrust$trust_root"} ) {
|
||||
$self->lmLog( 'OpenID request already trusted', 'debug' );
|
||||
$self->logger->debug('OpenID request already trusted');
|
||||
return 1;
|
||||
}
|
||||
elsif ( $req->param("confirm") and $req->param("confirm") == 1 ) {
|
||||
|
@ -169,7 +168,7 @@ sub openIDServer {
|
|||
return 0;
|
||||
}
|
||||
else {
|
||||
$self->lmLog( 'OpenID request not trusted', 'debug' );
|
||||
$self->logger->debug('OpenID request not trusted');
|
||||
$req->datas->{_openIdTrustRequired} = 1;
|
||||
return 0;
|
||||
}
|
||||
|
@ -194,7 +193,7 @@ sub _openIDResponse {
|
|||
|
||||
# Redirect
|
||||
if ( $type eq 'redirect' ) {
|
||||
$self->lmLog( "OpenID redirection to $data", 'debug' );
|
||||
$self->logger->debug("OpenID redirection to $data");
|
||||
$req->{urldc} = $data;
|
||||
return PE_REDIRECT;
|
||||
}
|
||||
|
@ -209,7 +208,7 @@ sub _openIDResponse {
|
|||
$req->info('<h3 trspan="openidExchange,$data->{trust_root}"></h3>');
|
||||
$req->info( $req->datas->{_openIdTrustExtMsg} )
|
||||
if ( $req->datas->{_openIdTrustExtMsg} );
|
||||
$self->lmLog( 'OpenID confirmation', 'debug' );
|
||||
$self->logger->debug('OpenID confirmation');
|
||||
return PE_CONFIRM;
|
||||
}
|
||||
elsif ( $req->datas->{_badOpenIdentity} ) {
|
||||
|
@ -231,7 +230,7 @@ sub _openIDResponse {
|
|||
}
|
||||
}
|
||||
elsif ($type) {
|
||||
$self->lmLog( "OpenID generated page ($type)", 'debug' );
|
||||
$self->logger->debug("OpenID generated page ($type)");
|
||||
$req->response( [ 200, [ 'Content-Type' => $type ], [$data] ] );
|
||||
}
|
||||
else {
|
||||
|
|
|
@ -90,8 +90,8 @@ sub run {
|
|||
|
||||
# AUTHORIZE
|
||||
if ( $path eq $self->conf->{oidcServiceMetaDataAuthorizeURI} ) {
|
||||
$self->lmLog( "URL detected as an OpenID Connect AUTHORIZE URL",
|
||||
'debug' );
|
||||
$self->logger->debug(
|
||||
"URL detected as an OpenID Connect AUTHORIZE URL");
|
||||
|
||||
# Get and save parameters
|
||||
my $oidc_request = {};
|
||||
|
@ -103,11 +103,8 @@ sub run {
|
|||
{
|
||||
if ( $req->param($param) ) {
|
||||
$oidc_request->{$param} = $req->param($param);
|
||||
$self->lmLog(
|
||||
"OIDC request parameter $param: "
|
||||
. $oidc_request->{$param},
|
||||
'debug'
|
||||
);
|
||||
$self->logger->debug( "OIDC request parameter $param: "
|
||||
. $oidc_request->{$param} );
|
||||
}
|
||||
}
|
||||
|
||||
|
@ -116,13 +113,11 @@ sub run {
|
|||
my $flow = $self->getFlowType($response_type);
|
||||
|
||||
unless ($flow) {
|
||||
$self->lmLog( "Unknown response type: $response_type",
|
||||
'error' );
|
||||
$self->logger->error("Unknown response type: $response_type");
|
||||
return PE_ERROR;
|
||||
}
|
||||
$self->lmLog(
|
||||
"OIDC $flow flow requested (response type: $response_type)",
|
||||
'debug' );
|
||||
$self->logger->debug(
|
||||
"OIDC $flow flow requested (response type: $response_type)");
|
||||
|
||||
# Extract request_uri/request parameter
|
||||
if ( $oidc_request->{'request_uri'} ) {
|
||||
|
@ -133,8 +128,7 @@ sub run {
|
|||
$oidc_request->{'request'} = $request;
|
||||
}
|
||||
else {
|
||||
$self->lmLog( "Error with Request URI resolution",
|
||||
'error' );
|
||||
$self->logger->error("Error with Request URI resolution");
|
||||
return PE_ERROR;
|
||||
}
|
||||
}
|
||||
|
@ -145,9 +139,8 @@ sub run {
|
|||
|
||||
# Override OIDC parameters by request content
|
||||
foreach ( keys %$request ) {
|
||||
$self->lmLog(
|
||||
"Override $_ OIDC param by value present in request parameter",
|
||||
'debug'
|
||||
$self->logger->debug(
|
||||
"Override $_ OIDC param by value present in request parameter"
|
||||
);
|
||||
$oidc_request->{$_} = $request->{$_};
|
||||
$self->p->setHiddenFormValue( $_, $request->{$_}, '' );
|
||||
|
@ -156,11 +149,11 @@ sub run {
|
|||
|
||||
# Check all required parameters
|
||||
unless ( $oidc_request->{'redirect_uri'} ) {
|
||||
$self->lmLog( "Redirect URI is required", 'error' );
|
||||
$self->logger->error("Redirect URI is required");
|
||||
return PE_ERROR;
|
||||
}
|
||||
unless ( $oidc_request->{'scope'} ) {
|
||||
$self->lmLog( "Scope is required", 'error' );
|
||||
$self->logger->error("Scope is required");
|
||||
$self->returnRedirectError(
|
||||
$req,
|
||||
$oidc_request->{'redirect_uri'},
|
||||
|
@ -172,7 +165,7 @@ sub run {
|
|||
);
|
||||
}
|
||||
unless ( $oidc_request->{'client_id'} ) {
|
||||
$self->lmLog( "Client ID is required", 'error' );
|
||||
$self->logger->error("Client ID is required");
|
||||
return $self->returnRedirectError(
|
||||
$req,
|
||||
$oidc_request->{'redirect_uri'},
|
||||
|
@ -185,7 +178,7 @@ sub run {
|
|||
}
|
||||
if ( $flow eq "implicit" and not defined $oidc_request->{'nonce'} )
|
||||
{
|
||||
$self->lmLog( "Nonce is required for implicit flow", 'error' );
|
||||
$self->logger->error("Nonce is required for implicit flow");
|
||||
return $self->returnRedirectError(
|
||||
$req, $oidc_request->{'redirect_uri'},
|
||||
"invalid_request", "nonce required",
|
||||
|
@ -197,8 +190,8 @@ sub run {
|
|||
if ( $flow eq "authorizationcode"
|
||||
and not $self->conf->{oidcServiceAllowAuthorizationCodeFlow} )
|
||||
{
|
||||
$self->lmLog( "Authorization code flow is not allowed",
|
||||
'error' );
|
||||
$self->userLogger->error(
|
||||
"Authorization code flow is not allowed");
|
||||
return $self->returnRedirectError(
|
||||
$req, $oidc_request->{'redirect_uri'},
|
||||
"server_error", "Authorization code flow not allowed",
|
||||
|
@ -209,7 +202,7 @@ sub run {
|
|||
if ( $flow eq "implicit"
|
||||
and not $self->conf->{oidcServiceAllowImplicitFlow} )
|
||||
{
|
||||
$self->lmLog( "Implicit flow is not allowed", 'error' );
|
||||
$self->logger->error("Implicit flow is not allowed");
|
||||
return $self->returnRedirectError(
|
||||
$req, $oidc_request->{'redirect_uri'},
|
||||
"server_error", "Implicit flow not allowed",
|
||||
|
@ -220,7 +213,7 @@ sub run {
|
|||
if ( $flow eq "hybrid"
|
||||
and not $self->conf->{oidcServiceAllowHybridFlow} )
|
||||
{
|
||||
$self->lmLog( "Hybrid flow is not allowed", 'error' );
|
||||
$self->logger->error("Hybrid flow is not allowed");
|
||||
return $self->returnRedirectError(
|
||||
$req, $oidc_request->{'redirect_uri'},
|
||||
"server_error", "Hybrid flow not allowed",
|
||||
|
@ -233,9 +226,8 @@ sub run {
|
|||
my $reauthentication = 0;
|
||||
my $prompt = $oidc_request->{'prompt'};
|
||||
if ( $prompt and $prompt =~ /\blogin\b/ ) {
|
||||
$self->lmLog(
|
||||
"Reauthentication requested by Relying Party in prompt parameter",
|
||||
'debug'
|
||||
$self->logger->debug(
|
||||
"Reauthentication requested by Relying Party in prompt parameter"
|
||||
);
|
||||
$reauthentication = 1;
|
||||
}
|
||||
|
@ -243,9 +235,8 @@ sub run {
|
|||
my $max_age = $oidc_request->{'max_age'};
|
||||
my $_lastAuthnUTime = $req->{sessionInfo}->{_lastAuthnUTime};
|
||||
if ( $max_age && time > $_lastAuthnUTime + $max_age ) {
|
||||
$self->lmLog(
|
||||
"Reauthentication forced cause authentication time ($_lastAuthnUTime) is too old (>$max_age s)",
|
||||
'debug'
|
||||
$self->logger->debug(
|
||||
"Reauthentication forced cause authentication time ($_lastAuthnUTime) is too old (>$max_age s)"
|
||||
);
|
||||
$reauthentication = 1;
|
||||
}
|
||||
|
@ -272,7 +263,7 @@ sub run {
|
|||
|
||||
# Check openid scope
|
||||
unless ( $oidc_request->{'scope'} =~ /\bopenid\b/ ) {
|
||||
$self->lmLog( "No openid scope found", 'debug' );
|
||||
$self->logger->debug("No openid scope found");
|
||||
|
||||
#TODO manage standard OAuth request
|
||||
return PE_OK;
|
||||
|
@ -280,15 +271,14 @@ sub run {
|
|||
|
||||
# Check client_id
|
||||
my $client_id = $oidc_request->{'client_id'};
|
||||
$self->lmLog( "Request from client id $client_id", 'debug' );
|
||||
$self->logger->debug("Request from client id $client_id");
|
||||
|
||||
# Verify that client_id is registered in configuration
|
||||
my $rp = $self->getRP($client_id);
|
||||
|
||||
unless ($rp) {
|
||||
$self->lmLog(
|
||||
"No registered Relying Party found with client_id $client_id",
|
||||
'error'
|
||||
$self->logger->error(
|
||||
"No registered Relying Party found with client_id $client_id"
|
||||
);
|
||||
return $self->returnRedirectError(
|
||||
$req,
|
||||
|
@ -301,7 +291,7 @@ sub run {
|
|||
);
|
||||
}
|
||||
else {
|
||||
$self->lmLog( "Client id $client_id match RP $rp", 'debug' );
|
||||
$self->logger->debug("Client id $client_id match RP $rp");
|
||||
}
|
||||
|
||||
# Check Request JWT signature
|
||||
|
@ -313,12 +303,12 @@ sub run {
|
|||
)
|
||||
)
|
||||
{
|
||||
$self->lmLog( "Request JWT signature could not be verified",
|
||||
'error' );
|
||||
$self->logger->error(
|
||||
"Request JWT signature could not be verified");
|
||||
return PE_ERROR;
|
||||
}
|
||||
else {
|
||||
$self->lmLog( "Request JWT signature verified", 'debug' );
|
||||
$self->logger->debug("Request JWT signature verified");
|
||||
}
|
||||
}
|
||||
|
||||
|
@ -333,8 +323,8 @@ sub run {
|
|||
$redirect_uri_allowed = 1 if $redirect_uri eq $_;
|
||||
}
|
||||
unless ($redirect_uri_allowed) {
|
||||
$self->lmLog( "Redirect URI $redirect_uri not allowed",
|
||||
'error' );
|
||||
$self->userLogger->error(
|
||||
"Redirect URI $redirect_uri not allowed");
|
||||
return PE_BADURL;
|
||||
}
|
||||
}
|
||||
|
@ -343,7 +333,7 @@ sub run {
|
|||
my $id_token_hint = $oidc_request->{'id_token_hint'};
|
||||
if ($id_token_hint) {
|
||||
|
||||
$self->lmLog( "Check sub of ID Token $id_token_hint", 'debug' );
|
||||
$self->logger->debug("Check sub of ID Token $id_token_hint");
|
||||
|
||||
# Check that id_token_hint sub match current user
|
||||
my $sub = $self->getIDTokenSub($id_token_hint);
|
||||
|
@ -353,9 +343,8 @@ sub run {
|
|||
|| $self->conf->{whatToTrace};
|
||||
my $user_id = $req->{sessionInfo}->{$user_id_attribute};
|
||||
unless ( $sub eq $user_id ) {
|
||||
$self->lmLog(
|
||||
"ID Token hint sub $sub do not match user $user_id",
|
||||
'error' );
|
||||
$self->userLogger->error(
|
||||
"ID Token hint sub $sub do not match user $user_id");
|
||||
return $self->returnRedirectError(
|
||||
$req,
|
||||
$oidc_request->{'redirect_uri'},
|
||||
|
@ -367,8 +356,8 @@ sub run {
|
|||
);
|
||||
}
|
||||
else {
|
||||
$self->lmLog( "ID Token hint sub $sub match current user",
|
||||
'debug' );
|
||||
$self->logger->debug(
|
||||
"ID Token hint sub $sub match current user");
|
||||
}
|
||||
}
|
||||
|
||||
|
@ -376,9 +365,8 @@ sub run {
|
|||
my $bypassConsent = $self->conf->{oidcRPMetaDataOptions}->{$rp}
|
||||
->{oidcRPMetaDataOptionsBypassConsent};
|
||||
if ($bypassConsent) {
|
||||
$self->lmLog(
|
||||
"Consent is disabled for RP $rp, user will not be prompted",
|
||||
'debug'
|
||||
$self->logger->debug(
|
||||
"Consent is disabled for RP $rp, user will not be prompted"
|
||||
);
|
||||
}
|
||||
else {
|
||||
|
@ -392,9 +380,8 @@ sub run {
|
|||
my $consent_scope =
|
||||
$req->{sessionInfo}->{"_oidc_consent_scope_$rp"};
|
||||
|
||||
$self->lmLog(
|
||||
"Consent already given for Relying Party $rp (time: $consent_time, scope: $consent_scope)",
|
||||
'debug'
|
||||
$self->logger->debug(
|
||||
"Consent already given for Relying Party $rp (time: $consent_time, scope: $consent_scope)"
|
||||
);
|
||||
|
||||
# Check accepted scope
|
||||
|
@ -402,14 +389,12 @@ sub run {
|
|||
split( /\s+/, $oidc_request->{'scope'} ) )
|
||||
{
|
||||
if ( $consent_scope =~ /\b$requested_scope\b/ ) {
|
||||
$self->lmLog(
|
||||
"Scope $requested_scope already accepted",
|
||||
'debug' );
|
||||
$self->logger->debug(
|
||||
"Scope $requested_scope already accepted");
|
||||
}
|
||||
else {
|
||||
$self->lmLog(
|
||||
"Scope $requested_scope was not previously accepted",
|
||||
'debug'
|
||||
$self->logger->debug(
|
||||
"Scope $requested_scope was not previously accepted"
|
||||
);
|
||||
$ask_for_consent = 1;
|
||||
last;
|
||||
|
@ -431,15 +416,14 @@ sub run {
|
|||
$oidc_request->{'scope'}
|
||||
}
|
||||
);
|
||||
$self->lmLog( "Consent given for Relying Party $rp",
|
||||
'debug' );
|
||||
$self->logger->debug(
|
||||
"Consent given for Relying Party $rp");
|
||||
}
|
||||
elsif ( $req->param('confirm')
|
||||
and $req->param('confirm') == -1 )
|
||||
{
|
||||
$self->lmLog(
|
||||
"User refused consent for Relying party $rp",
|
||||
'debug' );
|
||||
$self->logger->debug(
|
||||
"User refused consent for Relying party $rp");
|
||||
return $self->returnRedirectError(
|
||||
$req,
|
||||
$oidc_request->{'redirect_uri'},
|
||||
|
@ -451,15 +435,13 @@ sub run {
|
|||
);
|
||||
}
|
||||
else {
|
||||
$self->lmLog(
|
||||
"Obtain user consent for Relying Party $rp",
|
||||
'debug' );
|
||||
$self->logger->debug(
|
||||
"Obtain user consent for Relying Party $rp");
|
||||
|
||||
# Return error if prompt is none
|
||||
if ( $prompt and $prompt =~ /\bnone\b/ ) {
|
||||
$self->lmLog(
|
||||
"Consent is needed but prompt is none",
|
||||
'debug' );
|
||||
$self->logger->debug(
|
||||
"Consent is needed but prompt is none");
|
||||
return $self->returnRedirectError(
|
||||
$req,
|
||||
$oidc_request->{'redirect_uri'},
|
||||
|
@ -526,7 +508,7 @@ qq'<h3 trspan="oidcConsent,$display_name">The application $display_name would li
|
|||
my $codeSession = $self->getOpenIDConnectSession();
|
||||
my $code = $codeSession->id();
|
||||
|
||||
$self->lmLog( "Generated code: $code", 'debug' );
|
||||
$self->logger->debug("Generated code: $code");
|
||||
|
||||
# Store data in session
|
||||
$codeSession->update(
|
||||
|
@ -546,7 +528,7 @@ qq'<h3 trspan="oidcConsent,$display_name">The application $display_name would li
|
|||
$session_state
|
||||
);
|
||||
|
||||
$self->lmLog( "Redirect user to $response_url", 'debug' );
|
||||
$self->logger->debug("Redirect user to $response_url");
|
||||
$req->urldc($response_url);
|
||||
|
||||
return PE_REDIRECT;
|
||||
|
@ -564,9 +546,8 @@ qq'<h3 trspan="oidcConsent,$display_name">The application $display_name would li
|
|||
my $accessTokenSession = $self->getOpenIDConnectSession;
|
||||
|
||||
unless ($accessTokenSession) {
|
||||
$self->lmLog(
|
||||
"Unable to create OIDC session for access_token",
|
||||
"error" );
|
||||
$self->logger->error(
|
||||
"Unable to create OIDC session for access_token");
|
||||
$self->returnRedirectError( $req,
|
||||
$oidc_request->{'redirect_uri'},
|
||||
"server_error", undef, undef,
|
||||
|
@ -585,8 +566,8 @@ qq'<h3 trspan="oidcConsent,$display_name">The application $display_name would li
|
|||
|
||||
$access_token = $accessTokenSession->id;
|
||||
|
||||
$self->lmLog( "Generated access token: $access_token",
|
||||
'debug' );
|
||||
$self->logger->debug(
|
||||
"Generated access token: $access_token");
|
||||
|
||||
# Compute hash to store in at_hash
|
||||
my $alg = $self->conf->{oidcRPMetaDataOptions}->{$rp}
|
||||
|
@ -642,7 +623,7 @@ qq'<h3 trspan="oidcConsent,$display_name">The application $display_name would li
|
|||
my $id_token =
|
||||
$self->createIDToken( $id_token_payload_hash, $rp );
|
||||
|
||||
$self->lmLog( "Generated id token: $id_token", 'debug' );
|
||||
$self->logger->debug("Generated id token: $id_token");
|
||||
|
||||
# Send token response
|
||||
my $expires_in = $self->conf->{oidcRPMetaDataOptions}->{$rp}
|
||||
|
@ -656,7 +637,7 @@ qq'<h3 trspan="oidcConsent,$display_name">The application $display_name would li
|
|||
$session_state
|
||||
);
|
||||
|
||||
$self->lmLog( "Redirect user to $response_url", 'debug' );
|
||||
$self->logger->debug("Redirect user to $response_url");
|
||||
$req->urldc($response_url);
|
||||
|
||||
return PE_REDIRECT;
|
||||
|
@ -679,7 +660,7 @@ qq'<h3 trspan="oidcConsent,$display_name">The application $display_name would li
|
|||
my $codeSession = $self->getOpenIDConnectSession();
|
||||
my $code = $codeSession->id();
|
||||
|
||||
$self->lmLog( "Generated code: $code", 'debug' );
|
||||
$self->logger->debug("Generated code: $code");
|
||||
|
||||
# Store data in session
|
||||
$codeSession->update(
|
||||
|
@ -701,9 +682,8 @@ qq'<h3 trspan="oidcConsent,$display_name">The application $display_name would li
|
|||
my $accessTokenSession = $self->getOpenIDConnectSession;
|
||||
|
||||
unless ($accessTokenSession) {
|
||||
$self->lmLog(
|
||||
"Unable to create OIDC session for access_token",
|
||||
"error" );
|
||||
$self->logger->error(
|
||||
"Unable to create OIDC session for access_token");
|
||||
return $self->returnRedirectError( $req,
|
||||
$oidc_request->{'redirect_uri'},
|
||||
"server_error", undef, undef,
|
||||
|
@ -722,8 +702,8 @@ qq'<h3 trspan="oidcConsent,$display_name">The application $display_name would li
|
|||
|
||||
$access_token = $accessTokenSession->id;
|
||||
|
||||
$self->lmLog( "Generated access token: $access_token",
|
||||
'debug' );
|
||||
$self->logger->debug(
|
||||
"Generated access token: $access_token");
|
||||
|
||||
# Compute hash to store in at_hash
|
||||
$at_hash = $self->createHash( $access_token, $hash_level );
|
||||
|
@ -769,7 +749,7 @@ qq'<h3 trspan="oidcConsent,$display_name">The application $display_name would li
|
|||
$id_token =
|
||||
$self->createIDToken( $id_token_payload_hash, $rp );
|
||||
|
||||
$self->lmLog( "Generated id token: $id_token", 'debug' );
|
||||
$self->logger->debug("Generated id token: $id_token");
|
||||
}
|
||||
|
||||
my $expires_in = $self->conf->{oidcRPMetaDataOptions}->{$rp}
|
||||
|
@ -783,30 +763,27 @@ qq'<h3 trspan="oidcConsent,$display_name">The application $display_name would li
|
|||
$session_state
|
||||
);
|
||||
|
||||
$self->lmLog( "Redirect user to $response_url", 'debug' );
|
||||
$self->logger->debug("Redirect user to $response_url");
|
||||
$req->urldc($response_url);
|
||||
return PE_REDIRECT;
|
||||
}
|
||||
|
||||
$self->lmLog( "No flow has been selected", 'debug' );
|
||||
$self->logger->debug("No flow has been selected");
|
||||
return PE_OK;
|
||||
}
|
||||
|
||||
# LOGOUT
|
||||
elsif ( $path eq $self->conf->{oidcServiceMetaDataEndSessionURI} ) {
|
||||
$self->lmLog( "URL detected as an OpenID Connect END SESSION URL",
|
||||
'debug' );
|
||||
$self->logger->debug(
|
||||
"URL detected as an OpenID Connect END SESSION URL");
|
||||
|
||||
# Set hidden fields
|
||||
my $oidc_request = {};
|
||||
foreach my $param (qw/id_token_hint post_logout_redirect_uri state/)
|
||||
{
|
||||
if ( $oidc_request->{$param} = $req->param($param) ) {
|
||||
$self->lmLog(
|
||||
"OIDC request parameter $param: "
|
||||
. $oidc_request->{$param},
|
||||
'debug'
|
||||
);
|
||||
$self->logger->debug( "OIDC request parameter $param: "
|
||||
. $oidc_request->{$param} );
|
||||
$self->p->setHiddenFormValue( $param,
|
||||
$oidc_request->{$param}, '' );
|
||||
}
|
||||
|
@ -830,7 +807,7 @@ qq'<h3 trspan="oidcConsent,$display_name">The application $display_name would li
|
|||
$self->buildLogoutResponse( $post_logout_redirect_uri,
|
||||
$state );
|
||||
|
||||
$self->lmLog( "Redirect user to $response_url", 'debug' );
|
||||
$self->logger->debug("Redirect user to $response_url");
|
||||
$req->urldc($response_url);
|
||||
return PE_REDIRECT;
|
||||
}
|
||||
|
@ -844,23 +821,22 @@ qq'<h3 trspan="oidcConsent,$display_name">The application $display_name would li
|
|||
return PE_CONFIRM;
|
||||
}
|
||||
}
|
||||
$self->lmLog( "Unknown OIDC endpoint $path, skipping", 'error' );
|
||||
$self->logger->error("Unknown OIDC endpoint $path, skipping");
|
||||
return PE_ERROR;
|
||||
}
|
||||
|
||||
# Handle token endpoint
|
||||
sub token {
|
||||
my ( $self, $req ) = @_;
|
||||
$self->lmLog( "URL detected as an OpenID Connect TOKEN URL", 'debug' );
|
||||
$self->logger->debug("URL detected as an OpenID Connect TOKEN URL");
|
||||
|
||||
# Check authentication
|
||||
my ( $client_id, $client_secret ) =
|
||||
$self->getEndPointAuthenticationCredentials($req);
|
||||
|
||||
unless ( $client_id && $client_secret ) {
|
||||
$self->lmLog(
|
||||
"No authentication provided to get token, or authentication type not supported",
|
||||
"error"
|
||||
$self->logger->error(
|
||||
"No authentication provided to get token, or authentication type not supported"
|
||||
);
|
||||
return $self->p->sendError( $req, 'unauthorized_client', 401 );
|
||||
}
|
||||
|
@ -869,43 +845,39 @@ sub token {
|
|||
my $rp = $self->getRP($client_id);
|
||||
|
||||
unless ($rp) {
|
||||
$self->lmLog(
|
||||
"No registered Relying Party found with client_id $client_id",
|
||||
'error' );
|
||||
$self->userLogger->error(
|
||||
"No registered Relying Party found with client_id $client_id");
|
||||
return $self->p->sendError( $req, "unauthorized_client", 403 );
|
||||
}
|
||||
else {
|
||||
$self->lmLog( "Client id $client_id match RP $rp", 'debug' );
|
||||
$self->logger->debug("Client id $client_id match RP $rp");
|
||||
}
|
||||
|
||||
# Check client_secret
|
||||
unless ( $client_secret eq $self->conf->{oidcRPMetaDataOptions}->{$rp}
|
||||
->{oidcRPMetaDataOptionsClientSecret} )
|
||||
{
|
||||
$self->lmLog( "Wrong credentials for $rp", "error" );
|
||||
$self->logger->error("Wrong credentials for $rp");
|
||||
return $self->p->sendError( "access_denied", 403 );
|
||||
}
|
||||
|
||||
# Get code session
|
||||
my $code = $req->param('code');
|
||||
|
||||
$self->lmLog( "OpenID Connect Code: $code", 'debug' );
|
||||
$self->logger->debug("OpenID Connect Code: $code");
|
||||
|
||||
my $codeSession = $self->getOpenIDConnectSession($code);
|
||||
|
||||
unless ($codeSession) {
|
||||
$self->lmLog( "Unable to find OIDC session $code", "error" );
|
||||
$self->logger->error("Unable to find OIDC session $code");
|
||||
$self->p->sendError( $req, "invalid_grant", 400 );
|
||||
}
|
||||
|
||||
# Check we have the same redirect_uri value
|
||||
unless ( $req->param("redirect_uri") eq $codeSession->data->{redirect_uri} )
|
||||
{
|
||||
$self->lmLog(
|
||||
"Provided redirect_uri is different from "
|
||||
. $codeSession->{redirect_uri},
|
||||
"error"
|
||||
);
|
||||
$self->userLogger->error( "Provided redirect_uri is different from "
|
||||
. $codeSession->{redirect_uri} );
|
||||
$self->p->sendError( $req, "invalid_request", 400 );
|
||||
}
|
||||
|
||||
|
@ -915,9 +887,8 @@ sub token {
|
|||
noInfo => 1 );
|
||||
|
||||
unless ($apacheSession) {
|
||||
$self->lmLog(
|
||||
"Unable to find user session linked to OIDC session $code",
|
||||
"error" );
|
||||
$self->userLogger->error(
|
||||
"Unable to find user session linked to OIDC session $code");
|
||||
$codeSession->remove();
|
||||
$self->p->sendError( $req, "invalid_request", 400 );
|
||||
}
|
||||
|
@ -928,14 +899,14 @@ sub token {
|
|||
|| $self->conf->{whatToTrace};
|
||||
my $user_id = $apacheSession->data->{$user_id_attribute};
|
||||
|
||||
$self->lmLog( "Found corresponding user: $user_id", 'debug' );
|
||||
$self->logger->debug("Found corresponding user: $user_id");
|
||||
|
||||
# Generate access_token
|
||||
my $accessTokenSession = $self->getOpenIDConnectSession;
|
||||
|
||||
unless ($accessTokenSession) {
|
||||
$self->lmLog( "Unable to create OIDC session for access_token",
|
||||
"error" );
|
||||
$self->userLogger->error(
|
||||
"Unable to create OIDC session for access_token");
|
||||
$codeSession->remove();
|
||||
$self->p->sendError( $req, "invalid_request", 400 );
|
||||
}
|
||||
|
@ -952,7 +923,7 @@ sub token {
|
|||
|
||||
my $access_token = $accessTokenSession->id;
|
||||
|
||||
$self->lmLog( "Generated access token: $access_token", 'debug' );
|
||||
$self->logger->debug("Generated access token: $access_token");
|
||||
|
||||
# Compute hash to store in at_hash
|
||||
my $alg = $self->conf->{oidcRPMetaDataOptions}->{$rp}
|
||||
|
@ -973,8 +944,8 @@ sub token {
|
|||
aud => [$client_id], # Audience
|
||||
exp => $id_token_exp, # expiration
|
||||
iat => time, # Issued time
|
||||
auth_time =>
|
||||
$apacheSession->data->{_lastAuthnUTime}, # Authentication time
|
||||
auth_time => $apacheSession->data->{_lastAuthnUTime}
|
||||
, # Authentication time
|
||||
acr => $id_token_acr, # Authentication Context Class Reference
|
||||
azp => $client_id, # Authorized party
|
||||
# TODO amr
|
||||
|
@ -987,7 +958,7 @@ sub token {
|
|||
# Create ID Token
|
||||
my $id_token = $self->createIDToken( $id_token_payload_hash, $rp );
|
||||
|
||||
$self->lmLog( "Generated id token: $id_token", 'debug' );
|
||||
$self->logger->debug("Generated id token: $id_token");
|
||||
|
||||
# Send token response
|
||||
my $expires_in = $self->conf->{oidcRPMetaDataOptions}->{$rp}
|
||||
|
@ -1000,7 +971,7 @@ sub token {
|
|||
id_token => $id_token,
|
||||
};
|
||||
|
||||
$self->lmLog( "Send token response", 'debug' );
|
||||
$self->logger->debug("Send token response");
|
||||
|
||||
$codeSession->remove();
|
||||
return $self->p->sendJSONresponse( $req, $token_response );
|
||||
|
@ -1009,23 +980,23 @@ sub token {
|
|||
# Handle uerinfo endpoint
|
||||
sub userInfo {
|
||||
my ( $self, $req ) = @_;
|
||||
$self->lmLog( "URL detected as an OpenID Connect USERINFO URL", 'debug' );
|
||||
$self->logger->debug("URL detected as an OpenID Connect USERINFO URL");
|
||||
|
||||
my $access_token = $self->getEndPointAccessToken($req);
|
||||
|
||||
unless ($access_token) {
|
||||
$self->lmLog( "Unable to get access_token", "error" );
|
||||
$self->logger->error("Unable to get access_token");
|
||||
return $self->returnBearerError( "invalid_request",
|
||||
"Access token not found in request" );
|
||||
}
|
||||
|
||||
$self->lmLog( "Received Access Token $access_token", 'debug' );
|
||||
$self->logger->debug("Received Access Token $access_token");
|
||||
|
||||
my $accessTokenSession = $self->getOpenIDConnectSession($access_token);
|
||||
|
||||
unless ($accessTokenSession) {
|
||||
$self->lmLog( "Unable to get access token session for id $access_token",
|
||||
"error" );
|
||||
$self->userLogger->error(
|
||||
"Unable to get access token session for id $access_token");
|
||||
return $self->returnBearerError( "invalid_token",
|
||||
"Access Token not found or expired" );
|
||||
}
|
||||
|
@ -1050,7 +1021,7 @@ sub userInfo {
|
|||
else {
|
||||
my $userinfo_jwt =
|
||||
$self->createJWT( $userinfo_response, $userinfo_sign_alg, $rp );
|
||||
$self->lmLog( "Return UserInfo as JWT: $userinfo_jwt", 'debug' );
|
||||
$self->logger->debug("Return UserInfo as JWT: $userinfo_jwt");
|
||||
return [
|
||||
200,
|
||||
[
|
||||
|
@ -1065,7 +1036,7 @@ sub userInfo {
|
|||
# Handle jwks endpoint
|
||||
sub jwks {
|
||||
my ( $self, $req ) = @_;
|
||||
$self->lmLog( "URL detected as an OpenID Connect JWKS URL", 'debug' );
|
||||
$self->logger->debug("URL detected as an OpenID Connect JWKS URL");
|
||||
|
||||
my $jwks = { keys => [] };
|
||||
|
||||
|
@ -1078,26 +1049,25 @@ sub jwks {
|
|||
$key->{kid} = $key_id_sig if $key_id_sig;
|
||||
push @{ $jwks->{keys} }, $key;
|
||||
}
|
||||
$self->lmLog( "Send JWKS response sent", 'debug' );
|
||||
$self->logger->debug("Send JWKS response sent");
|
||||
return $self->p->sendJSONresponse( $req, $jwks );
|
||||
}
|
||||
|
||||
# Handle register endpoint
|
||||
sub registration {
|
||||
my ( $self, $req ) = @_;
|
||||
$self->lmLog( "URL detected as an OpenID Connect REGISTRATION URL",
|
||||
'debug' );
|
||||
$self->logger->debug("URL detected as an OpenID Connect REGISTRATION URL");
|
||||
|
||||
# TODO: check Initial Access Token
|
||||
|
||||
# Specific message to allow DOS detection
|
||||
my $source_ip = $req->address;
|
||||
$self->lmLog( "OpenID Connect Registration request from $source_ip",
|
||||
'warn' );
|
||||
$self->logger->notice(
|
||||
"OpenID Connect Registration request from $source_ip");
|
||||
|
||||
# Check dynamic registration is allowed
|
||||
unless ( $self->conf->{oidcServiceAllowDynamicRegistration} ) {
|
||||
$self->lmLog( "Dynamic registration is not allowed", 'error' );
|
||||
$self->logger->error("Dynamic registration is not allowed");
|
||||
$self->p->sendError( $req, 'server_error' );
|
||||
}
|
||||
|
||||
|
@ -1107,14 +1077,14 @@ sub registration {
|
|||
return $self->p->sendError( $req, 'Missing POST datas', 400 );
|
||||
}
|
||||
|
||||
$self->lmLog( "Client metadata received: $client_metadata_json", 'debug' );
|
||||
$self->logger->debug("Client metadata received: $client_metadata_json");
|
||||
|
||||
my $client_metadata = $self->decodeJSON($client_metadata_json);
|
||||
my $registration_response = {};
|
||||
|
||||
# Check redirect_uris
|
||||
unless ( $client_metadata->{redirect_uris} ) {
|
||||
$self->lmLog( "Field redirect_uris is mandatory", 'error' );
|
||||
$self->logger->error("Field redirect_uris is mandatory");
|
||||
return $self->p->sendError( $req, 'invalid_client_metadata', 400 );
|
||||
}
|
||||
|
||||
|
@ -1179,13 +1149,12 @@ sub registration {
|
|||
if defined $userinfo_signed_response_alg;
|
||||
}
|
||||
else {
|
||||
$self->lmLog(
|
||||
"Configuration not saved: $Lemonldap::NG::Common::Conf::msg",
|
||||
'error' );
|
||||
$self->logger->error(
|
||||
"Configuration not saved: $Lemonldap::NG::Common::Conf::msg");
|
||||
return $self->p->sendError( $req, 'server_error', 500 );
|
||||
}
|
||||
|
||||
$self->lmLog( "Registration response sent", 'debug' );
|
||||
$self->logger->debug("Registration response sent");
|
||||
return $self->p->sendJSONresponse( $req, $registration_response,
|
||||
code => 201 );
|
||||
}
|
||||
|
@ -1193,9 +1162,8 @@ sub registration {
|
|||
# Handle logout endpoint for unauthenticated users
|
||||
sub endSessionDone {
|
||||
my ( $self, $req ) = @_;
|
||||
$self->lmLog( "URL detected as an OpenID Connect END SESSION URL",
|
||||
'debug' );
|
||||
$self->lmLog( "User is already logged out", 'debug' );
|
||||
$self->logger->debug("URL detected as an OpenID Connect END SESSION URL");
|
||||
$self->logger->debug("User is already logged out");
|
||||
|
||||
my $post_logout_redirect_uri = $req->param('post_logout_redirect_uri');
|
||||
my $state = $req->param('state');
|
||||
|
@ -1206,7 +1174,7 @@ sub endSessionDone {
|
|||
my $response_url =
|
||||
$self->buildLogoutResponse( $post_logout_redirect_uri, $state );
|
||||
|
||||
$self->lmLog( "Redirect user to $response_url", 'debug' );
|
||||
$self->logger->debug("Redirect user to $response_url");
|
||||
return [ 302, [ Location => $response_url ], [] ];
|
||||
}
|
||||
|
||||
|
@ -1217,8 +1185,8 @@ sub endSessionDone {
|
|||
# Handle checksession endpoint
|
||||
sub checkSession {
|
||||
my ( $self, $req ) = @_;
|
||||
$self->lmLog( "URL detected as an OpenID Connect CHECK SESSION URL",
|
||||
'debug' );
|
||||
$self->logger->debug(
|
||||
"URL detected as an OpenID Connect CHECK SESSION URL");
|
||||
|
||||
# TODO: access_control_allow_origin => '*'
|
||||
$req->frame(1);
|
||||
|
@ -1252,7 +1220,7 @@ sub addRouteFromConf {
|
|||
my $sub = $subs{$_};
|
||||
my $path = $self->conf->{$_};
|
||||
unless ($path) {
|
||||
$self->lmLog( "$_ parameter not defined", 'error' );
|
||||
$self->logger->error("$_ parameter not defined");
|
||||
next;
|
||||
}
|
||||
$self->$adder( $self->path => { $path => $sub }, [ 'GET', 'POST' ] );
|
||||
|
|
File diff suppressed because it is too large
Load Diff
|
@ -49,8 +49,8 @@ sub getCasSession {
|
|||
$self->p->userInfo("CAS session $id isn't yet available");
|
||||
}
|
||||
else {
|
||||
$self->lmLog( "Unable to create new CAS session", 'error' );
|
||||
$self->lmLog( $casSession->error, 'error' );
|
||||
$self->logger->error("Unable to create new CAS session");
|
||||
$self->logger->error( $casSession->error );
|
||||
}
|
||||
return undef;
|
||||
}
|
||||
|
@ -62,7 +62,7 @@ sub getCasSession {
|
|||
sub returnCasValidateError {
|
||||
my ( $self, $req ) = @_;
|
||||
|
||||
$self->lmLog( "Return CAS validate error", 'debug' );
|
||||
$self->logger->debug("Return CAS validate error");
|
||||
|
||||
return [ 200, [ 'Content-Length' => 4 ], ["no\n\n"] ];
|
||||
}
|
||||
|
@ -71,8 +71,7 @@ sub returnCasValidateError {
|
|||
sub returnCasValidateSuccess {
|
||||
my ( $self, $req, $username ) = @_;
|
||||
|
||||
$self->lmLog( "Return CAS validate success with username $username",
|
||||
'debug' );
|
||||
$self->logger->debug("Return CAS validate success with username $username");
|
||||
|
||||
return $self->sendSoapResponse( $req, "yes\n$username\n" );
|
||||
}
|
||||
|
@ -84,7 +83,7 @@ sub returnCasServiceValidateError {
|
|||
$code ||= 'INTERNAL_ERROR';
|
||||
$text ||= 'No description provided';
|
||||
|
||||
$self->lmLog( "Return CAS service validate error $code ($text)", 'debug' );
|
||||
$self->logger->debug("Return CAS service validate error $code ($text)");
|
||||
|
||||
return $self->sendSoapResponse(
|
||||
$req, "<cas:serviceResponse xmlns:cas='http://www.yale.edu/tp/cas'>
|
||||
|
@ -99,8 +98,8 @@ sub returnCasServiceValidateError {
|
|||
sub returnCasServiceValidateSuccess {
|
||||
my ( $self, $req, $username, $pgtIou, $proxies, $attributes ) = @_;
|
||||
|
||||
$self->lmLog( "Return CAS service validate success with username $username",
|
||||
'debug' );
|
||||
$self->logger->debug(
|
||||
"Return CAS service validate success with username $username");
|
||||
|
||||
my $s = "<cas:serviceResponse xmlns:cas='http://www.yale.edu/tp/cas'>
|
||||
\t<cas:authenticationSuccess>
|
||||
|
@ -121,13 +120,12 @@ sub returnCasServiceValidateSuccess {
|
|||
$s .= "\t\t</cas:attributes>\n";
|
||||
}
|
||||
if ( defined $pgtIou ) {
|
||||
$self->lmLog( "Add proxy granting ticket $pgtIou in response",
|
||||
'debug' );
|
||||
$self->logger->debug("Add proxy granting ticket $pgtIou in response");
|
||||
$s .=
|
||||
"\t\t<cas:proxyGrantingTicket>$pgtIou</cas:proxyGrantingTicket>\n";
|
||||
}
|
||||
if ($proxies) {
|
||||
$self->lmLog( "Add proxies $proxies in response", 'debug' );
|
||||
$self->logger->debug("Add proxies $proxies in response");
|
||||
$s .= "\t\t<cas:proxies>\n\t\t\t<cas:proxy>$_</cas:proxy>\n"
|
||||
foreach ( split( /$self->{multiValuesSeparator}/, $proxies ) );
|
||||
$s .= "\t\t</cas:proxies>\n";
|
||||
|
@ -144,7 +142,7 @@ sub returnCasProxyError {
|
|||
$code ||= 'INTERNAL_ERROR';
|
||||
$text ||= 'No description provided';
|
||||
|
||||
$self->lmLog( "Return CAS proxy error $code ($text)", 'debug' );
|
||||
$self->logger->debug("Return CAS proxy error $code ($text)");
|
||||
|
||||
return $self->sendSoapResponse(
|
||||
$req, "<cas:serviceResponse xmlns:cas='http://www.yale.edu/tp/cas'>
|
||||
|
@ -159,7 +157,7 @@ sub returnCasProxyError {
|
|||
sub returnCasProxySuccess {
|
||||
my ( $self, $req, $ticket ) = @_;
|
||||
|
||||
$self->lmLog( "Return CAS proxy success with ticket $ticket", 'debug' );
|
||||
$self->logger->debug("Return CAS proxy success with ticket $ticket");
|
||||
|
||||
return $self->sendSoapResponse(
|
||||
$req, "<cas:serviceResponse xmlns:cas='http://www.yale.edu/tp/cas'>
|
||||
|
@ -188,7 +186,7 @@ sub deleteCasSecondarySessions {
|
|||
foreach my $cas_session (@cas_sessions_keys) {
|
||||
|
||||
# Get session
|
||||
$self->lmLog( "Retrieve CAS session $cas_session", 'debug' );
|
||||
$self->logger->debug("Retrieve CAS session $cas_session");
|
||||
|
||||
my $casSession = $self->getCasSession($cas_session);
|
||||
|
||||
|
@ -197,8 +195,7 @@ sub deleteCasSecondarySessions {
|
|||
}
|
||||
}
|
||||
else {
|
||||
$self->lmLog( "No CAS session found for session $session_id ",
|
||||
'debug' );
|
||||
$self->logger->debug("No CAS session found for session $session_id ");
|
||||
}
|
||||
|
||||
return $result;
|
||||
|
@ -211,7 +208,7 @@ sub deleteCasSession {
|
|||
|
||||
# Check session object
|
||||
unless ( $session && $session->data ) {
|
||||
$self->lmLog( "No session to delete", 'error' );
|
||||
$self->logger->error("No session to delete");
|
||||
return 0;
|
||||
}
|
||||
|
||||
|
@ -220,11 +217,11 @@ sub deleteCasSession {
|
|||
|
||||
# Delete session
|
||||
unless ( $session->remove ) {
|
||||
$self->lmLog( $session->error, 'error' );
|
||||
$self->logger->error( $session->error );
|
||||
return 0;
|
||||
}
|
||||
|
||||
$self->lmLog( "CAS session $session_id deleted", 'debug' );
|
||||
$self->logger->debug("CAS session $session_id deleted");
|
||||
|
||||
return 1;
|
||||
}
|
||||
|
@ -237,7 +234,7 @@ sub callPgtUrl {
|
|||
my $url =
|
||||
$pgtUrl . ( $pgtUrl =~ /\?/ ? '&' : '?' ) . "pgtIou=$pgtIou&pgtId=$pgtId";
|
||||
|
||||
$self->lmLog( "Call URL $url", 'debug' );
|
||||
$self->logger->debug("Call URL $url");
|
||||
|
||||
# GET URL
|
||||
my $response = $self->ua->get($url);
|
||||
|
|
|
@ -58,21 +58,21 @@ sub validateCaptcha {
|
|||
my ( $self, $token, $value ) = @_;
|
||||
my $s = $self->ott->getToken($token);
|
||||
unless ($s) {
|
||||
$self->lmLog( "Captcha token $token isn't valid", 'warn' );
|
||||
$self->logger->warn("Captcha token $token isn't valid");
|
||||
return 0;
|
||||
}
|
||||
unless ( $s->{captcha} == $value ) {
|
||||
$self->lmLog( 'Bad captcha response', 'notice' );
|
||||
$self->logger->notice('Bad captcha response');
|
||||
return 0;
|
||||
}
|
||||
$self->lmLog( 'Good captcha response', 'debug' );
|
||||
$self->logger->debug('Good captcha response');
|
||||
return 1;
|
||||
}
|
||||
|
||||
sub setCaptcha {
|
||||
my ( $self, $req ) = @_;
|
||||
my ( $token, $image ) = $self->getCaptcha;
|
||||
$self->lmLog( 'Prepare captcha', 'debug' );
|
||||
$self->logger->debug('Prepare captcha');
|
||||
$req->token($token);
|
||||
$req->captcha($image);
|
||||
}
|
||||
|
|
|
@ -37,16 +37,13 @@ sub init {
|
|||
. $mods[$type];
|
||||
if ( $module = $self->loadPlugin( $name, $module ) ) {
|
||||
$self->modules->{$name} = $module;
|
||||
$self->p->lmLog(
|
||||
$self->logger->debug(
|
||||
[qw(Authentication User Password)]->[$type]
|
||||
. " module $name selected",
|
||||
'debug'
|
||||
);
|
||||
. " module $name selected" );
|
||||
}
|
||||
else {
|
||||
$self->lmLog(
|
||||
"Choice: unable to load $name, disabling it: " . $self->error,
|
||||
'error' );
|
||||
$self->logger->error(
|
||||
"Choice: unable to load $name, disabling it: " . $self->error );
|
||||
$self->error('');
|
||||
}
|
||||
}
|
||||
|
@ -65,7 +62,7 @@ sub checkChoice {
|
|||
or return 0;
|
||||
return $name if ( $req->datas->{ "enabledMods" . $self->type } );
|
||||
unless ( defined $self->modules->{$name} ) {
|
||||
$self->lmLog( "Unknown choice '$name'", 'error' );
|
||||
$self->logger->error("Unknown choice '$name'");
|
||||
return 0;
|
||||
}
|
||||
$req->sessionInfo->{_choice} = $name;
|
||||
|
@ -94,7 +91,7 @@ sub _buildAuthLoop {
|
|||
|
||||
# Test authentication choices
|
||||
unless ( ref $self->conf->{authChoiceModules} eq 'HASH' ) {
|
||||
$self->lmLog( "No authentication choices defined", 'warn' );
|
||||
$self->logger->warn("No authentication choices defined");
|
||||
return [];
|
||||
}
|
||||
|
||||
|
@ -121,7 +118,7 @@ sub _buildAuthLoop {
|
|||
|
||||
# Default URL
|
||||
$url = ( defined $url ? $url .= $req->env->{'REQUEST_URI'} : '#' );
|
||||
$self->lmLog( "Use URL $url", 'debug' );
|
||||
$self->logger->debug("Use URL $url");
|
||||
|
||||
# Options to store in the loop
|
||||
my $optionsLoop =
|
||||
|
@ -132,8 +129,7 @@ sub _buildAuthLoop {
|
|||
my $displayType = "Lemonldap::NG::Portal::Auth::${auth}"
|
||||
->can('getDisplayType')->( undef, $req );
|
||||
|
||||
$self->lmLog( "Display type $displayType for module $auth",
|
||||
'debug' );
|
||||
$self->logger->debug("Display type $displayType for module $auth");
|
||||
$optionsLoop->{$displayType} = 1;
|
||||
|
||||
# If displayType is logo, check if key.png is available
|
||||
|
@ -151,8 +147,8 @@ sub _buildAuthLoop {
|
|||
# Register item in loop
|
||||
push @authLoop, $optionsLoop;
|
||||
|
||||
$self->lmLog( "Authentication choice $name will be displayed",
|
||||
'debug' );
|
||||
$self->logger->debug(
|
||||
"Authentication choice $name will be displayed");
|
||||
}
|
||||
|
||||
else {
|
||||
|
|
|
@ -31,7 +31,7 @@ sub dbh {
|
|||
);
|
||||
};
|
||||
if ($@) {
|
||||
$_[0]->{p}->lmLog( "DBI connection error: $@", 'error' );
|
||||
$_[0]->{p}->logger->error("DBI connection error: $@");
|
||||
return 0;
|
||||
}
|
||||
return $_[0]->{_dbh};
|
||||
|
@ -54,12 +54,12 @@ sub init {
|
|||
sub hash_password {
|
||||
my ( $self, $password, $hash ) = @_;
|
||||
if ( $hash =~ /^(md5|sha|sha1|encrypt)$/i ) {
|
||||
$self->lmLog( "Using " . uc($hash) . " to hash password", 'debug' );
|
||||
$self->logger->debug( "Using " . uc($hash) . " to hash password" );
|
||||
return uc($hash) . "($password)";
|
||||
}
|
||||
else {
|
||||
$self->lmLog( "No valid password hash, using clear text for password",
|
||||
'warn' );
|
||||
$self->logger->notice(
|
||||
"No valid password hash, using clear text for password");
|
||||
return $password;
|
||||
}
|
||||
|
||||
|
@ -115,12 +115,12 @@ sub check_password {
|
|||
if ($@) {
|
||||
|
||||
# If connection isn't available, error is displayed by dbh()
|
||||
$self->lmLog( "DBI error: $@", 'error' ) if ( $self->_dbh );
|
||||
$self->logger->error("DBI error: $@") if ( $self->_dbh );
|
||||
return 0;
|
||||
}
|
||||
|
||||
if ( @rows == 1 ) {
|
||||
$self->lmLog( "One row returned by SQL query", 'debug' );
|
||||
$self->logger->debug("One row returned by SQL query");
|
||||
return 1;
|
||||
}
|
||||
else {
|
||||
|
|
|
@ -29,16 +29,16 @@ sub newLdap {
|
|||
)
|
||||
{
|
||||
if ( $msg->code != 0 ) {
|
||||
$self->lmLog( "LDAP error: " . $msg->error, 'error' );
|
||||
$self->logger->error( "LDAP error: " . $msg->error );
|
||||
}
|
||||
else {
|
||||
if ( $self->{conf}->{ldapPpolicyControl} and not $ldap->loadPP() ) {
|
||||
$self->lmLog( "LDAP password policy error", 'error' );
|
||||
$self->logger->error("LDAP password policy error");
|
||||
}
|
||||
}
|
||||
}
|
||||
else {
|
||||
$self->lmLog( "LDAP error: $@", 'error' );
|
||||
$self->logger->error("LDAP error: $@");
|
||||
}
|
||||
return $ldap;
|
||||
}
|
||||
|
@ -51,7 +51,7 @@ has filter => (
|
|||
|
||||
sub buildFilter {
|
||||
my $conf = $_[0]->{conf};
|
||||
$_[0]->{p}->lmLog( "LDAP Search base: $_[0]->{conf}->{ldapBase}", 'debug' );
|
||||
$_[0]->{p}->logger->debug("LDAP Search base: $_[0]->{conf}->{ldapBase}");
|
||||
|
||||
# TODO : mailLDAPFilter
|
||||
my $filter =
|
||||
|
@ -63,7 +63,7 @@ sub buildFilter {
|
|||
$filter =~ s/\$req->\{sessionInfo\}->\{user\}/\$req->{user}/g;
|
||||
$filter =~
|
||||
s/\$req->\{sessionInfo\}->\{(_?password|mail)\}/\$req->{datas}->{$1}/g;
|
||||
$_[0]->{p}->lmLog( "LDAP transformed filter: $filter", 'debug' );
|
||||
$_[0]->{p}->logger->debug("LDAP transformed filter: $filter");
|
||||
$filter = "sub{my(\$req)=\$_[0];return \"$filter\";}";
|
||||
return eval $filter;
|
||||
}
|
||||
|
@ -74,6 +74,7 @@ sub init {
|
|||
my ($self) = @_;
|
||||
$self->ldap and $self->filter;
|
||||
}
|
||||
|
||||
# RUNNING METHODS
|
||||
|
||||
# Test LDAP connection before trying to bind
|
||||
|
@ -84,10 +85,10 @@ sub bind {
|
|||
{
|
||||
$self->ldap( $self->newLdap );
|
||||
}
|
||||
return undef unless($self->ldap);
|
||||
return undef unless ( $self->ldap );
|
||||
my $msg = $self->ldap->bind(@_);
|
||||
if ( $msg->code ) {
|
||||
$self->lmLog( $msg->error, 'error' );
|
||||
$self->logger->error( $msg->error );
|
||||
return undef;
|
||||
}
|
||||
return 1;
|
||||
|
|
|
@ -55,7 +55,7 @@ sub new {
|
|||
( $conf->{caPath} ? ( capath => $conf->{caPath} ) : () ),
|
||||
);
|
||||
unless ($self) {
|
||||
$portal->lmLog( $@, 'error' );
|
||||
$portal->logger->error($@);
|
||||
return 0;
|
||||
}
|
||||
bless $self, $class;
|
||||
|
@ -65,7 +65,7 @@ sub new {
|
|||
$h{capath} = $conf->{caPath} if ( $conf->{caPath} );
|
||||
my $mesg = $self->start_tls(%h);
|
||||
if ( $mesg->code ) {
|
||||
$portal->lmLog( 'StartTLS failed', 'error' );
|
||||
$portal->logger->error('StartTLS failed');
|
||||
return 0;
|
||||
}
|
||||
}
|
||||
|
@ -122,7 +122,7 @@ sub unbind {
|
|||
my $self = shift;
|
||||
my $ldap_uri = $self->uri;
|
||||
|
||||
$self->{portal}->lmLog( "Unbind and disconnect from $ldap_uri", 'debug' );
|
||||
$self->{portal}->logger->debug("Unbind and disconnect from $ldap_uri");
|
||||
|
||||
my $mesg = $self->SUPER::unbind();
|
||||
$self->SUPER::disconnect();
|
||||
|
@ -147,9 +147,8 @@ sub loadPP {
|
|||
# Require Perl module
|
||||
eval { require Net::LDAP::Control::PasswordPolicy };
|
||||
if ($@) {
|
||||
$self->{portal}->lmLog(
|
||||
"Module Net::LDAP::Control::PasswordPolicy not found in @INC",
|
||||
'error' );
|
||||
$self->{portal}->logger->error(
|
||||
"Module Net::LDAP::Control::PasswordPolicy not found in @INC");
|
||||
return 0;
|
||||
}
|
||||
$ppLoaded = 1;
|
||||
|
@ -261,7 +260,7 @@ sub userModifyPassword {
|
|||
$oldpassword =
|
||||
utf8( chr(34) . $oldpassword . chr(34) )->utf16le();
|
||||
}
|
||||
$self->{portal}->lmLog( "Active Directory mode enabled", 'debug' );
|
||||
$self->{portal}->logger->debug("Active Directory mode enabled");
|
||||
|
||||
}
|
||||
|
||||
|
@ -275,7 +274,7 @@ sub userModifyPassword {
|
|||
|
||||
$mesg = $self->bind( $dn, password => $oldpassword );
|
||||
if ( $mesg->code != 0 ) {
|
||||
$self->{portal}->lmLog( "Bad old password", 'debug' );
|
||||
$self->{portal}->userLogger->notice("Bad old password");
|
||||
return PE_BADOLDPASSWORD;
|
||||
}
|
||||
}
|
||||
|
@ -296,7 +295,7 @@ sub userModifyPassword {
|
|||
|
||||
# Catch the "Unwilling to perform" error
|
||||
if ( $mesg->code == 53 ) {
|
||||
$self->{portal}->lmLog( "Bad old password", 'debug' );
|
||||
$self->{portal}->userLogger->notice("Bad old password");
|
||||
return PE_BADOLDPASSWORD;
|
||||
}
|
||||
}
|
||||
|
@ -334,7 +333,7 @@ sub userModifyPassword {
|
|||
# 52e: password is incorrect
|
||||
unless ( ( $1 eq '532' ) || ( $1 eq '773' ) ) {
|
||||
$self->{portal}
|
||||
->lmLog( "Bad old password", 'warn' );
|
||||
->userLogger->warn("Bad old password");
|
||||
return PE_BADOLDPASSWORD;
|
||||
}
|
||||
}
|
||||
|
@ -345,7 +344,7 @@ sub userModifyPassword {
|
|||
{ # this is not AD, a 0 error code means good old password
|
||||
if ( $mesg->code != 0 ) {
|
||||
$self->{portal}
|
||||
->lmLog( "Bad old password", 'warn' );
|
||||
->userLogger->warn('Bad old password');
|
||||
return PE_BADOLDPASSWORD;
|
||||
}
|
||||
}
|
||||
|
@ -361,7 +360,7 @@ sub userModifyPassword {
|
|||
}
|
||||
}
|
||||
$self->{portal}
|
||||
->lmLog( "Modification return code: " . $mesg->code, 'debug' );
|
||||
->logger->debug( 'Modification return code: ' . $mesg->code );
|
||||
return PE_WRONGMANAGERACCOUNT
|
||||
if ( $mesg->code == 50 || $mesg->code == 8 );
|
||||
return PE_PP_INSUFFICIENT_PASSWORD_QUALITY
|
||||
|
@ -395,7 +394,7 @@ sub userModifyPassword {
|
|||
|
||||
unless ( defined $bind_resp ) {
|
||||
if ( $mesg->code != 0 ) {
|
||||
$self->{portal}->lmLog( "Bad old password", 'debug' );
|
||||
$self->{portal}->logger->debug("Bad old password");
|
||||
return PE_BADOLDPASSWORD;
|
||||
}
|
||||
}
|
||||
|
@ -407,15 +406,13 @@ sub userModifyPassword {
|
|||
and $pp_error == 0
|
||||
and $self->{conf}->{ldapAllowResetExpiredPassword} )
|
||||
{
|
||||
$self->{portal}->lmLog(
|
||||
"Password is expired but user is allowed to change it",
|
||||
'debug'
|
||||
$self->{portal}->logger->debug(
|
||||
"Password is expired but user is allowed to change it"
|
||||
);
|
||||
}
|
||||
else {
|
||||
if ( $mesg->code != 0 ) {
|
||||
$self->{portal}
|
||||
->lmLog( "Bad old password", 'debug' );
|
||||
$self->{portal}->logger->debug("Bad old password");
|
||||
return PE_BADOLDPASSWORD;
|
||||
}
|
||||
}
|
||||
|
@ -442,7 +439,7 @@ sub userModifyPassword {
|
|||
|
||||
# Catch the "Unwilling to perform" error
|
||||
if ( $mesg->code == 53 ) {
|
||||
$self->{portal}->lmLog( "Bad old password", 'debug' );
|
||||
$self->{portal}->logger->debug("Bad old password");
|
||||
return PE_BADOLDPASSWORD;
|
||||
}
|
||||
}
|
||||
|
@ -459,7 +456,7 @@ sub userModifyPassword {
|
|||
|
||||
unless ( defined $bind_resp ) {
|
||||
if ( $mesg->code != 0 ) {
|
||||
$self->{portal}->lmLog( "Bad old password", 'debug' );
|
||||
$self->{portal}->logger->debug("Bad old password");
|
||||
return PE_BADOLDPASSWORD;
|
||||
}
|
||||
}
|
||||
|
@ -471,15 +468,13 @@ sub userModifyPassword {
|
|||
and $pp_error == 0
|
||||
and $self->{conf}->{ldapAllowResetExpiredPassword} )
|
||||
{
|
||||
$self->{portal}->lmLog(
|
||||
"Password is expired but user is allowed to change it",
|
||||
'debug'
|
||||
$self->{portal}->logger->debug(
|
||||
"Password is expired but user is allowed to change it"
|
||||
);
|
||||
}
|
||||
else {
|
||||
if ( $mesg->code != 0 ) {
|
||||
$self->{portal}
|
||||
->lmLog( "Bad old password", 'debug' );
|
||||
$self->{portal}->logger->debug("Bad old password");
|
||||
return PE_BADOLDPASSWORD;
|
||||
}
|
||||
}
|
||||
|
@ -502,7 +497,7 @@ sub userModifyPassword {
|
|||
my ($resp) = $mesg->control("1.3.6.1.4.1.42.2.27.8.5.1");
|
||||
|
||||
$self->{portal}
|
||||
->lmLog( "Modification return code: " . $mesg->code, 'debug' );
|
||||
->logger->debug( "Modification return code: " . $mesg->code );
|
||||
return PE_WRONGMANAGERACCOUNT
|
||||
if ( $mesg->code == 50 || $mesg->code == 8 );
|
||||
if ( $mesg->code == 0 ) {
|
||||
|
@ -549,14 +544,14 @@ sub ldap {
|
|||
and my $mesg = $self->{ldap}->bind )
|
||||
{
|
||||
if ( $mesg->code != 0 ) {
|
||||
$self->lmLog( "LDAP error: " . $mesg->error, 'error' );
|
||||
$self->logger->error( "LDAP error: " . $mesg->error );
|
||||
$self->{ldap}->unbind;
|
||||
}
|
||||
else {
|
||||
if ( $self->{ldapPpolicyControl}
|
||||
and not $self->{ldap}->loadPP() )
|
||||
{
|
||||
$self->lmLog( "LDAP password policy error", 'error' );
|
||||
$self->logger->error("LDAP password policy error");
|
||||
$self->{ldap}->unbind;
|
||||
}
|
||||
else {
|
||||
|
@ -566,7 +561,7 @@ sub ldap {
|
|||
}
|
||||
}
|
||||
else {
|
||||
$self->lmLog( "LDAP error: $@", 'error' );
|
||||
$self->logger->error("LDAP error: $@");
|
||||
}
|
||||
return 0;
|
||||
}
|
||||
|
@ -591,7 +586,7 @@ sub searchGroups {
|
|||
}
|
||||
$searchFilter .= "))";
|
||||
|
||||
$self->{p}->lmLog( "Group search filter: $searchFilter", 'debug' );
|
||||
$self->{p}->logger->debug("Group search filter: $searchFilter");
|
||||
|
||||
# Search
|
||||
my $mesg = $self->search(
|
||||
|
@ -606,7 +601,7 @@ sub searchGroups {
|
|||
foreach my $entry ( $mesg->all_entries ) {
|
||||
|
||||
$self->{p}
|
||||
->lmLog( "Matching group " . $entry->dn() . " found", 'debug' );
|
||||
->logger->debug( "Matching group " . $entry->dn() . " found" );
|
||||
|
||||
# If recursive search is activated, do it here
|
||||
if ( $self->{conf}->{ldapGroupRecursive} ) {
|
||||
|
@ -620,7 +615,7 @@ sub searchGroups {
|
|||
if ($group_value) {
|
||||
|
||||
$self->{p}
|
||||
->lmLog( "Recursive search for $group_value", 'debug' );
|
||||
->logger->debug("Recursive search for $group_value");
|
||||
|
||||
my $recursive_groups =
|
||||
$self->searchGroups( $base, $key, $group_value,
|
||||
|
@ -646,8 +641,8 @@ sub searchGroups {
|
|||
my $data = $entry->get_value( $_, asref => 1 );
|
||||
|
||||
if ($data) {
|
||||
$self->{p}->lmLog( "Store values of $_ in group $groupName",
|
||||
'debug' );
|
||||
$self->{p}
|
||||
->logger->debug("Store values of $_ in group $groupName");
|
||||
$groups->{$groupName}->{$_} = $data;
|
||||
}
|
||||
}
|
||||
|
|
|
@ -45,14 +45,14 @@ sub checkForNotifications {
|
|||
# Get the reference
|
||||
my $reference = $notif->{reference};
|
||||
|
||||
$self->lmLog( "Get reference $reference", 'debug' );
|
||||
$self->logger->debug("Get reference $reference");
|
||||
|
||||
# Check it in session
|
||||
if ( exists $req->{sessionInfo}->{"notification_$reference"} ) {
|
||||
|
||||
# The notification was already accepted
|
||||
$self->lmLog( "Notification $reference was already accepted",
|
||||
'debug' );
|
||||
$self->logger->debug(
|
||||
"Notification $reference was already accepted");
|
||||
next LOOP;
|
||||
}
|
||||
push @res, $notif;
|
||||
|
@ -146,9 +146,8 @@ sub getNotifBack {
|
|||
# Current pending notification has not been found in
|
||||
# request
|
||||
$result = $fileResult = 0;
|
||||
$self->lmLog(
|
||||
'Current pending notification has not been found',
|
||||
'debug' );
|
||||
$self->logger->debug(
|
||||
'Current pending notification has not been found');
|
||||
next;
|
||||
}
|
||||
|
||||
|
@ -157,15 +156,14 @@ sub getNotifBack {
|
|||
"$uid has accepted notification $reference");
|
||||
$self->p->updatePersistentSession( $req,
|
||||
{ "notification_$reference" => time() } );
|
||||
$self->lmLog(
|
||||
"Notification $reference registered in persistent session",
|
||||
'debug'
|
||||
$self->logger->debug(
|
||||
"Notification $reference registered in persistent session"
|
||||
);
|
||||
}
|
||||
|
||||
# Notifications accepted for this file, delete it unless it's a wildcard
|
||||
if ( $fileResult and exists $forUser->{$fileName} ) {
|
||||
$self->lmLog( "Notification file deleted", 'debug' );
|
||||
$self->logger->debug("Notification file deleted");
|
||||
$self->notifObject->delete($fileName);
|
||||
}
|
||||
}
|
||||
|
@ -174,22 +172,21 @@ sub getNotifBack {
|
|||
# One pending notification has been found and not accepted,
|
||||
# restart process to display pending notifications
|
||||
# TODO: is it a good idea to launch all 'afterDatas' subs ?
|
||||
$self->lmLog(
|
||||
'Pending notification has been found and not accepted',
|
||||
'debug' );
|
||||
$self->logger->debug(
|
||||
'Pending notification has been found and not accepted');
|
||||
return $self->p->do( $req, $self->p->afterDatas );
|
||||
}
|
||||
|
||||
# All pending notifications have been accepted, restore cookies and
|
||||
# launch 'controlUrl' to restore "urldc" using do()
|
||||
$self->lmLog( 'All pending notifications have been accepted', 'debug' );
|
||||
$self->logger->debug('All pending notifications have been accepted');
|
||||
$self->p->rebuildCookies($req);
|
||||
return $self->p->do( $req, ['controlUrl'] );
|
||||
}
|
||||
else {
|
||||
# No notifications checked here, this entry point must not be called.
|
||||
# Redirecting to portal
|
||||
$self->lmLog( 'No notifications checked', 'debug' );
|
||||
$self->logger->debug('No notifications checked');
|
||||
$req->mustRedirect(1);
|
||||
return $self->p->do( $req, [] );
|
||||
}
|
||||
|
|
|
@ -70,14 +70,14 @@ sub checkForNotifications {
|
|||
# Get the reference
|
||||
my $reference = $notif->getAttribute('reference');
|
||||
|
||||
$self->lmLog( "Get reference $reference", 'debug' );
|
||||
$self->logger->debug("Get reference $reference");
|
||||
|
||||
# Check it in session
|
||||
if ( exists $req->{sessionInfo}->{"notification_$reference"} ) {
|
||||
|
||||
# The notification was already accepted
|
||||
$self->lmLog( "Notification $reference was already accepted",
|
||||
'debug' );
|
||||
$self->logger->debug(
|
||||
"Notification $reference was already accepted");
|
||||
|
||||
# Remove it from XML
|
||||
$notif->unbindNode();
|
||||
|
@ -89,11 +89,10 @@ sub checkForNotifications {
|
|||
|
||||
if ($condition) {
|
||||
|
||||
$self->lmLog( "Get condition $condition", 'debug' );
|
||||
$self->logger->debug("Get condition $condition");
|
||||
|
||||
unless ( $self->p->HANDLER->safe->reval($condition) ) {
|
||||
$self->lmLog( "Notification condition not accepted",
|
||||
'debug' );
|
||||
$self->logger->debug("Notification condition not accepted");
|
||||
|
||||
# Remove it from XML
|
||||
$notif->unbindNode();
|
||||
|
@ -113,8 +112,8 @@ sub checkForNotifications {
|
|||
$form .= $self->stylesheet->output_string($results);
|
||||
}
|
||||
if ($@) {
|
||||
$self->lmLog( "Bad XML file: a notification for $uid was not done ($@)",
|
||||
'warn' );
|
||||
$self->userLogger->warn(
|
||||
"Bad XML file: a notification for $uid was not done ($@)");
|
||||
return 0;
|
||||
}
|
||||
|
||||
|
@ -197,7 +196,7 @@ sub getNotifBack {
|
|||
# Current pending notification has not been found in
|
||||
# request
|
||||
$result = $fileResult = 0;
|
||||
$self->lmLog(
|
||||
$self->logger->debulogger->debug(
|
||||
'Current pending notification has not been found',
|
||||
'debug' );
|
||||
next;
|
||||
|
@ -208,15 +207,14 @@ sub getNotifBack {
|
|||
"$uid has accepted notification $reference");
|
||||
$self->p->updatePersistentSession( $req,
|
||||
{ "notification_$reference" => time() } );
|
||||
$self->lmLog(
|
||||
"Notification $reference registered in persistent session",
|
||||
'debug'
|
||||
$self->logger->debug(
|
||||
"Notification $reference registered in persistent session"
|
||||
);
|
||||
}
|
||||
|
||||
# Notifications accepted for this file, delete it unless it's a wildcard
|
||||
if ( $fileResult and exists $forUser->{$fileName} ) {
|
||||
$self->lmLog( "Notification file deleted", 'debug' );
|
||||
$self->logger->debug("Notification file deleted");
|
||||
$self->notifObject->delete($fileName);
|
||||
}
|
||||
}
|
||||
|
@ -225,22 +223,21 @@ sub getNotifBack {
|
|||
# One pending notification has been found and not accepted,
|
||||
# restart process to display pending notifications
|
||||
# TODO: is it a good idea to launch all 'afterDatas' subs ?
|
||||
$self->lmLog(
|
||||
'Pending notification has been found and not accepted',
|
||||
'debug' );
|
||||
$self->logger->debug(
|
||||
'Pending notification has been found and not accepted');
|
||||
return $self->p->do( $req, $self->p->afterDatas );
|
||||
}
|
||||
|
||||
# All pending notifications have been accepted, restore cookies and
|
||||
# launch 'controlUrl' to restore "urldc" using do()
|
||||
$self->lmLog( 'All pending notifications have been accepted', 'debug' );
|
||||
$self->logger->debug('All pending notifications have been accepted');
|
||||
$self->p->rebuildCookies($req);
|
||||
return $self->p->do( $req, ['controlUrl'] );
|
||||
}
|
||||
else {
|
||||
# No notifications checked here, this entry point must not be called.
|
||||
# Redirecting to portal
|
||||
$self->lmLog( 'No notifications checked', 'debug' );
|
||||
$self->logger->debug('No notifications checked');
|
||||
$req->mustRedirect(1);
|
||||
return $self->p->do( $req, [] );
|
||||
}
|
||||
|
|
|
@ -43,14 +43,14 @@ sub createToken {
|
|||
sub getToken {
|
||||
my ( $self, $id ) = @_;
|
||||
unless ($id) {
|
||||
$self->lmLog( 'getToken called without id', 'error' );
|
||||
$self->logger->error('getToken called without id');
|
||||
return undef;
|
||||
}
|
||||
|
||||
# Get token session
|
||||
my $tsession = $self->p->getApacheSession($id);
|
||||
unless ($tsession) {
|
||||
$self->lmLog( "Bad (or expired) token $id", 'notice' );
|
||||
$self->logger->notice("Bad (or expired) token $id");
|
||||
return undef;
|
||||
}
|
||||
my %h = %{ $tsession->{data} };
|
||||
|
@ -60,7 +60,7 @@ sub getToken {
|
|||
|
||||
sub setToken {
|
||||
my ( $self, $req, $info ) = @_;
|
||||
$self->lmLog( 'Prepare token', 'debug' );
|
||||
$self->logger->debug('Prepare token');
|
||||
$req->token( $self->createToken($info) );
|
||||
}
|
||||
|
||||
|
|
|
@ -29,7 +29,7 @@ sub sregHook {
|
|||
# If identity is not trusted, does nothing
|
||||
return ( 0, $prm ) unless ( $is_id and $is_trusted );
|
||||
|
||||
$self->lmLog( "SREG start", 'debug' );
|
||||
$self->logger->debug("SREG start");
|
||||
|
||||
my $accepted = 1;
|
||||
|
||||
|
@ -40,7 +40,8 @@ sub sregHook {
|
|||
if ( $k eq 'policy_url' ) {
|
||||
if ( $v =~ Lemonldap::NG::Common::Regexp::HTTP_URI ) {
|
||||
$req->datas->{_openIdTrustExtMsg} .=
|
||||
'<dl><dt trspan="openidPA">' . " :</dt><dd><a href=\"$v\">$v</a></dd></dl>";
|
||||
'<dl><dt trspan="openidPA">'
|
||||
. " :</dt><dd><a href=\"$v\">$v</a></dd></dl>";
|
||||
|
||||
# Question: is it important to notify policy changes ?
|
||||
# if yes, uncomment this
|
||||
|
@ -49,24 +50,25 @@ sub sregHook {
|
|||
#$accepted = 0 unless ( $p and $p eq $v );
|
||||
}
|
||||
else {
|
||||
$self->lmLog( "Bad policy url", 'error' );
|
||||
$self->logger->error("Bad policy url");
|
||||
}
|
||||
}
|
||||
|
||||
# Parse required attributes
|
||||
elsif ( $k eq 'required' ) {
|
||||
$self->lmLog( "Required attr $v", 'debug' );
|
||||
$self->logger->debug("Required attr $v");
|
||||
push @req, split( /,/, $v );
|
||||
}
|
||||
|
||||
# Parse optional attributes
|
||||
elsif ( $k eq 'optional' ) {
|
||||
$self->lmLog( "Optional attr $v", 'debug' );
|
||||
push @opt, grep { defined $self->conf->{"openIdSreg_$trust_root$_"} }
|
||||
$self->logger->debug("Optional attr $v");
|
||||
push @opt,
|
||||
grep { defined $self->conf->{"openIdSreg_$trust_root$_"} }
|
||||
split( /,/, $v );
|
||||
}
|
||||
else {
|
||||
$self->lmLog( "Unknown OpenID SREG request $k", 'error' );
|
||||
$self->logger->error("Unknown OpenID SREG request $k");
|
||||
}
|
||||
}
|
||||
|
||||
|
@ -81,12 +83,11 @@ sub sregHook {
|
|||
# If a required data is not available, returns nothing
|
||||
foreach my $k (@req) {
|
||||
unless ( $self->conf->{"openIdSreg_$k"} ) {
|
||||
$self->lmLog(
|
||||
"Parameter $k is required by $trust_root but not defined in configuration",
|
||||
'notice'
|
||||
$self->logger->notice(
|
||||
"Parameter $k is required by $trust_root but not defined in configuration"
|
||||
);
|
||||
|
||||
$req->info( qq'<h3 trspan="openidRpns,$k"></h3>');
|
||||
$req->info(qq'<h3 trspan="openidRpns,$k"></h3>');
|
||||
return ( 0, {} );
|
||||
}
|
||||
}
|
||||
|
@ -202,7 +203,7 @@ sub sregHook {
|
|||
|
||||
$req->datas->{_openIdTrustExtMsg} .= "</table>\n";
|
||||
|
||||
$self->lmLog( 'Building validation form', 'debug' );
|
||||
$self->logger->debug('Building validation form');
|
||||
return ( 0, $prm );
|
||||
}
|
||||
}
|
||||
|
@ -231,12 +232,9 @@ sub sregfilter {
|
|||
|
||||
# Warn if some parameters are rejected
|
||||
if (@rej) {
|
||||
$self->lmLog(
|
||||
"Requested parameter(s) "
|
||||
$self->logger->warn( "Requested parameter(s) "
|
||||
. join( ',', @rej )
|
||||
. "is(are) not valid OpenID SREG parameter(s)",
|
||||
'warn'
|
||||
);
|
||||
. "is(are) not valid OpenID SREG parameter(s)" );
|
||||
}
|
||||
|
||||
# Return valid SREG parameters
|
||||
|
|
|
@ -17,7 +17,8 @@ our $VERSION = '2.0.0';
|
|||
|
||||
use constant OPENID2_NS => 'http://specs.openid.net/auth/2.0';
|
||||
|
||||
use constant OPENID2_ID_SELECT => 'http://specs.openid.net/auth/2.0/identifier_select';
|
||||
use constant OPENID2_ID_SELECT =>
|
||||
'http://specs.openid.net/auth/2.0/identifier_select';
|
||||
|
||||
*_push_url_arg =
|
||||
( $Net::OpenID::Server::VERSION >= 1.09 )
|
||||
|
|
|
@ -64,8 +64,8 @@ sub loadOPs {
|
|||
unless ( $self->conf->{oidcOPMetaDataJSON}
|
||||
and keys %{ $self->conf->{oidcOPMetaDataJSON} } )
|
||||
{
|
||||
$self->lmLog( "No OpenID Connect Provider found in configuration",
|
||||
'warn' );
|
||||
$self->logger->warn(
|
||||
"No OpenID Connect Provider found in configuration");
|
||||
}
|
||||
|
||||
# Extract JSON data
|
||||
|
@ -88,8 +88,8 @@ sub loadRPs {
|
|||
unless ( $self->conf->{oidcRPMetaDataOptions}
|
||||
and keys %{ $self->conf->{oidcRPMetaDataOptions} } )
|
||||
{
|
||||
$self->lmLog( "No OpenID Connect Relying Party found in configuration",
|
||||
'warn' );
|
||||
$self->logger->warn(
|
||||
"No OpenID Connect Relying Party found in configuration");
|
||||
}
|
||||
$self->oidcRPList( $self->conf->{oidcRPMetaDataOptions} );
|
||||
foreach my $rp ( keys %{ $self->oidcRPList } ) {
|
||||
|
@ -106,7 +106,7 @@ sub loadRPs {
|
|||
|
||||
if ($extraClaims) {
|
||||
foreach my $claim ( keys %$extraClaims ) {
|
||||
$self->lmLog( "Using extra claim $claim for $rp", 'debug' );
|
||||
$self->logger->debug("Using extra claim $claim for $rp");
|
||||
my @extraAttributes = split( /\s/, $extraClaims->{$claim} );
|
||||
$attributes->{$claim} = \@extraAttributes;
|
||||
}
|
||||
|
@ -125,9 +125,8 @@ sub refreshJWKSdata {
|
|||
unless ( $self->conf->{oidcOPMetaDataJSON}
|
||||
and keys %{ $self->conf->{oidcOPMetaDataJSON} } )
|
||||
{
|
||||
$self->lmLog(
|
||||
"No OpenID Provider configured, JWKS data will not be refreshed",
|
||||
'debug' );
|
||||
$self->logger->debug(
|
||||
"No OpenID Provider configured, JWKS data will not be refreshed");
|
||||
return 1;
|
||||
}
|
||||
|
||||
|
@ -143,33 +142,30 @@ sub refreshJWKSdata {
|
|||
my $jwksUri = $self->oidcOPList->{$_}->{conf}->{jwks_uri};
|
||||
|
||||
unless ($jwksTimeout) {
|
||||
$self->lmLog( "No JWKS refresh timeout defined for $_, skipping...",
|
||||
'debug' );
|
||||
$self->logger->debug(
|
||||
"No JWKS refresh timeout defined for $_, skipping...");
|
||||
next;
|
||||
}
|
||||
|
||||
unless ($jwksUri) {
|
||||
$self->lmLog( "No JWKS URI defined for $_, skipping...", 'debug' );
|
||||
$self->logger->debug("No JWKS URI defined for $_, skipping...");
|
||||
next;
|
||||
}
|
||||
|
||||
if ( $self->oidcOPList->{$_}->{jwks}->{time} + $jwksTimeout > time ) {
|
||||
$self->lmLog( "JWKS data still valid for $_, skipping...",
|
||||
'debug' );
|
||||
$self->logger->debug("JWKS data still valid for $_, skipping...");
|
||||
next;
|
||||
}
|
||||
|
||||
$self->lmLog( "Refresh JWKS data for $_ from $jwksUri", 'debug' );
|
||||
$self->logger->debug("Refresh JWKS data for $_ from $jwksUri");
|
||||
|
||||
my $response = $self->ua->get($jwksUri);
|
||||
|
||||
if ( $response->is_error ) {
|
||||
$self->lmLog(
|
||||
$self->logger->warn(
|
||||
"Unable to get JWKS data for $_ from $jwksUri: "
|
||||
. $response->message,
|
||||
"warn"
|
||||
);
|
||||
$self->lmLog( $response->content, 'debug' );
|
||||
. $response->message );
|
||||
$self->logger->debug( $response->content );
|
||||
next;
|
||||
}
|
||||
|
||||
|
@ -222,7 +218,7 @@ sub getCallbackUri {
|
|||
$req->param( $self->conf->{authChoiceParam} ) );
|
||||
}
|
||||
|
||||
$self->lmLog( "OpenIDConnect Callback URI: $callback_uri", 'debug' );
|
||||
$self->logger->debug("OpenIDConnect Callback URI: $callback_uri");
|
||||
return $callback_uri;
|
||||
}
|
||||
|
||||
|
@ -285,9 +281,8 @@ sub buildAuthorizationCodeAuthnRequest {
|
|||
( defined $acr_values ? ( acr_values => $acr_values ) : () )
|
||||
);
|
||||
|
||||
$self->lmLog(
|
||||
"OpenIDConnect Authorization Code Flow Authn Request: $authn_uri",
|
||||
'debug' );
|
||||
$self->logger->debug(
|
||||
"OpenIDConnect Authorization Code Flow Authn Request: $authn_uri");
|
||||
|
||||
return $authn_uri;
|
||||
}
|
||||
|
@ -391,13 +386,12 @@ sub getAuthorizationCodeAccessToken {
|
|||
my $grant_type = "authorization_code";
|
||||
|
||||
unless ( $auth_method =~ /^client_secret_(basic|post)$/o ) {
|
||||
$self->lmLog( "Bad authentication method on token endpoint", 'error' );
|
||||
$self->logger->error("Bad authentication method on token endpoint");
|
||||
return 0;
|
||||
}
|
||||
|
||||
$self->lmLog(
|
||||
"Using auth method $auth_method to token endpoint $access_token_uri",
|
||||
'debug' );
|
||||
$self->logger->debug(
|
||||
"Using auth method $auth_method to token endpoint $access_token_uri");
|
||||
|
||||
my $response;
|
||||
|
||||
|
@ -429,13 +423,13 @@ sub getAuthorizationCodeAccessToken {
|
|||
"Content-Type" => 'application/x-www-form-urlencoded' );
|
||||
}
|
||||
else {
|
||||
$self->lmLog( "Unknown auth method $auth_method", 'error' );
|
||||
$self->logger->error("Unknown auth method $auth_method");
|
||||
}
|
||||
|
||||
if ( $response->is_error ) {
|
||||
$self->lmLog( "Bad authorization response: " . $response->message,
|
||||
"error" );
|
||||
$self->lmLog( $response->content, 'debug' );
|
||||
$self->logger->error(
|
||||
"Bad authorization response: " . $response->message );
|
||||
$self->logger->debug( $response->content );
|
||||
return 0;
|
||||
}
|
||||
return $response->decoded_content;
|
||||
|
@ -448,15 +442,14 @@ sub checkTokenResponseValidity {
|
|||
|
||||
# token_type MUST be Bearer
|
||||
unless ( $json->{token_type} eq "Bearer" ) {
|
||||
$self->lmLog(
|
||||
"Token type is " . $json->{token_type} . " but must be Bearer",
|
||||
'error' );
|
||||
$self->logger->error(
|
||||
"Token type is " . $json->{token_type} . " but must be Bearer" );
|
||||
return 0;
|
||||
}
|
||||
|
||||
# id_token MUST be present
|
||||
unless ( $json->{id_token} ) {
|
||||
$self->lmLog( "No id_token", 'error' );
|
||||
$self->logger->error("No id_token");
|
||||
return 0;
|
||||
}
|
||||
|
||||
|
@ -486,7 +479,7 @@ sub checkIDTokenValidity {
|
|||
|
||||
# Check issuer
|
||||
unless ( $id_token->{iss} eq $self->oidcOPList->{$op}->{conf}->{issuer} ) {
|
||||
$self->lmLog( "Issuer mismatch", 'error' );
|
||||
$self->logger->error("Issuer mismatch");
|
||||
return 0;
|
||||
}
|
||||
|
||||
|
@ -494,29 +487,28 @@ sub checkIDTokenValidity {
|
|||
if ( ref $id_token->{aud} ) {
|
||||
my @audience = @{ $id_token->{aud} };
|
||||
unless ( grep $_ eq $client_id, @audience ) {
|
||||
$self->lmLog( "Client ID not found in audience array", 'error' );
|
||||
$self->logger->error("Client ID not found in audience array");
|
||||
return 0;
|
||||
}
|
||||
|
||||
if ( $#audience > 1 ) {
|
||||
unless ( $id_token->{azp} eq $client_id ) {
|
||||
$self->lmLog(
|
||||
"More than one audience, and azp not equal to client ID",
|
||||
'error' );
|
||||
$self->logger->error(
|
||||
"More than one audience, and azp not equal to client ID");
|
||||
return 0;
|
||||
}
|
||||
}
|
||||
}
|
||||
else {
|
||||
unless ( $id_token->{aud} eq $client_id ) {
|
||||
$self->lmLog( "Audience mismatch", 'error' );
|
||||
$self->logger->error("Audience mismatch");
|
||||
return 0;
|
||||
}
|
||||
}
|
||||
|
||||
# Check time
|
||||
unless ( time < $id_token->{exp} ) {
|
||||
$self->lmLog( "ID token expired", 'error' );
|
||||
$self->logger->error("ID token expired");
|
||||
return 0;
|
||||
}
|
||||
|
||||
|
@ -524,8 +516,8 @@ sub checkIDTokenValidity {
|
|||
my $iat = $id_token->{iat};
|
||||
if ($id_token_max_age) {
|
||||
unless ( $iat + $id_token_max_age > time ) {
|
||||
$self->lmLog( "ID token too old (Max age: $id_token_max_age)",
|
||||
'error' );
|
||||
$self->logger->error(
|
||||
"ID token too old (Max age: $id_token_max_age)");
|
||||
return 0;
|
||||
}
|
||||
}
|
||||
|
@ -534,19 +526,19 @@ sub checkIDTokenValidity {
|
|||
if ($use_nonce) {
|
||||
my $nonce = $id_token->{nonce};
|
||||
unless ($nonce) {
|
||||
$self->lmLog( "Nonce was not returned by OP $op", 'error' );
|
||||
$self->logger->error("Nonce was not returned by OP $op");
|
||||
return 0;
|
||||
}
|
||||
else {
|
||||
# Get nonce session
|
||||
my $nonceSession = $self->getOpenIDConnectSession($nonce);
|
||||
unless ($nonceSession) {
|
||||
$self->lmLog( "Nonce $nonce verification failed", 'error' );
|
||||
$self->logger->error("Nonce $nonce verification failed");
|
||||
return 0;
|
||||
}
|
||||
else {
|
||||
$nonceSession->remove;
|
||||
$self->lmLog( "Nonce $nonce deleted", 'debug' );
|
||||
$self->logger->debug("Nonce $nonce deleted");
|
||||
}
|
||||
}
|
||||
}
|
||||
|
@ -555,13 +547,12 @@ sub checkIDTokenValidity {
|
|||
my $acr = $id_token->{acr};
|
||||
if ( defined $acr_values ) {
|
||||
unless ($acr) {
|
||||
$self->lmLog( "ACR was not returned by OP $op", 'error' );
|
||||
$self->logger->error("ACR was not returned by OP $op");
|
||||
return 0;
|
||||
}
|
||||
unless ( $acr_values =~ /\b$acr\b/i ) {
|
||||
$self->lmLog(
|
||||
"ACR $acr not listed in request ACR values ($acr_values)",
|
||||
'error' );
|
||||
$self->logger->error(
|
||||
"ACR $acr not listed in request ACR values ($acr_values)");
|
||||
return 0;
|
||||
}
|
||||
}
|
||||
|
@ -570,13 +561,12 @@ sub checkIDTokenValidity {
|
|||
my $auth_time = $id_token->{auth_time};
|
||||
if ($max_age) {
|
||||
unless ($auth_time) {
|
||||
$self->lmLog( "Auth time was not returned by OP $op", 'error' );
|
||||
$self->logger->error("Auth time was not returned by OP $op");
|
||||
return 0;
|
||||
}
|
||||
if ( $auth_time + $max_age > time ) {
|
||||
$self->lmLog(
|
||||
"Authentication time ($auth_time) is too old (Max age: $max_age)",
|
||||
'error'
|
||||
$self->userLogger->error(
|
||||
"Authentication time ($auth_time) is too old (Max age: $max_age)"
|
||||
);
|
||||
return 0;
|
||||
}
|
||||
|
@ -594,20 +584,19 @@ sub getUserInfo {
|
|||
$self->oidcOPList->{$op}->{conf}->{userinfo_endpoint};
|
||||
|
||||
unless ($userinfo_uri) {
|
||||
$self->lmLog( "UserInfo URI not found in $op configuration", 'error' );
|
||||
$self->logger->error("UserInfo URI not found in $op configuration");
|
||||
return 0;
|
||||
}
|
||||
|
||||
$self->lmLog(
|
||||
"Request User Info on $userinfo_uri with access token $access_token",
|
||||
'debug' );
|
||||
$self->logger->debug(
|
||||
"Request User Info on $userinfo_uri with access token $access_token");
|
||||
|
||||
my $response = $self->ua->get( $userinfo_uri,
|
||||
"Authorization" => "Bearer $access_token" );
|
||||
|
||||
if ( $response->is_error ) {
|
||||
$self->lmLog( "Bad userinfo response: " . $response->message, "error" );
|
||||
$self->lmLog( $response->content, 'debug' );
|
||||
$self->logger->error( "Bad userinfo response: " . $response->message );
|
||||
$self->logger->debug( $response->content );
|
||||
return 0;
|
||||
}
|
||||
|
||||
|
@ -661,9 +650,8 @@ sub getOpenIDConnectSession {
|
|||
$self->p->userInfo("OpenIDConnect session $id isn't yet available");
|
||||
}
|
||||
else {
|
||||
$self->lmLog( "Unable to create new OpenIDConnect session",
|
||||
'error' );
|
||||
$self->lmLog( $oidcSession->error, 'error' );
|
||||
$self->logger->error("Unable to create new OpenIDConnect session");
|
||||
$self->logger->error( $oidcSession->error );
|
||||
}
|
||||
return undef;
|
||||
}
|
||||
|
@ -730,17 +718,17 @@ sub extractState {
|
|||
$req->$_($tmp);
|
||||
}
|
||||
else {
|
||||
$self->lmLog( "Unknown request property $_, skipping", 'warn' );
|
||||
$self->logger->warn("Unknown request property $_, skipping");
|
||||
}
|
||||
}
|
||||
|
||||
# Delete state session
|
||||
if ( $stateSession->remove ) {
|
||||
$self->lmLog( "State $state was deleted", 'debug' );
|
||||
$self->logger->debug("State $state was deleted");
|
||||
}
|
||||
else {
|
||||
$self->lmLog( "Unable to delete state $state", 'error' );
|
||||
$self->lmLog( $stateSession->error, 'error' );
|
||||
$self->logger->error("Unable to delete state $state");
|
||||
$self->logger->error( $stateSession->error );
|
||||
}
|
||||
|
||||
return 1;
|
||||
|
@ -761,7 +749,7 @@ sub extractJWT {
|
|||
sub verifyJWTSignature {
|
||||
my ( $self, $jwt, $op, $rp ) = @_;
|
||||
|
||||
$self->lmLog( "Verification of JWT signature: $jwt", 'debug' );
|
||||
$self->logger->debug("Verification of JWT signature: $jwt");
|
||||
|
||||
# Extract JWT parts
|
||||
my $jwt_parts = $self->extractJWT($jwt);
|
||||
|
@ -774,18 +762,15 @@ sub verifyJWTSignature {
|
|||
# Get signature algorithm
|
||||
my $alg = $jwt_header_hash->{alg};
|
||||
|
||||
$self->lmLog( "JWT signature algorithm: $alg", 'debug' );
|
||||
$self->logger->debug("JWT signature algorithm: $alg");
|
||||
|
||||
if ( $alg eq "none" ) {
|
||||
|
||||
# If none alg, signature should be empty
|
||||
if ( $jwt_parts->[2] ) {
|
||||
$self->lmLog(
|
||||
"Signature "
|
||||
$self->logger->debug( "Signature "
|
||||
. $jwt_parts->[2]
|
||||
. " is present but algorithm is 'none'",
|
||||
'debug'
|
||||
);
|
||||
. " is present but algorithm is 'none'" );
|
||||
return 0;
|
||||
}
|
||||
return 1;
|
||||
|
@ -829,9 +814,8 @@ sub verifyJWTSignature {
|
|||
$digest =~ s/\//_/g;
|
||||
|
||||
unless ( $digest eq $jwt_parts->[2] ) {
|
||||
$self->lmLog(
|
||||
"Digest $digest not equal to signature " . $jwt_parts->[2],
|
||||
'debug' );
|
||||
$self->logger->debug(
|
||||
"Digest $digest not equal to signature " . $jwt_parts->[2] );
|
||||
return 0;
|
||||
}
|
||||
return 1;
|
||||
|
@ -840,14 +824,14 @@ sub verifyJWTSignature {
|
|||
if ( $alg eq "RS256" or $alg eq "RS384" or $alg eq "RS512" ) {
|
||||
|
||||
if ($rp) {
|
||||
$self->lmLog( "Algorithm $alg not supported", 'debug' );
|
||||
$self->logger->debug("Algorithm $alg not supported");
|
||||
return 0;
|
||||
}
|
||||
|
||||
# The public key is needed
|
||||
unless ( $self->oidcOPList->{$op}->{jwks} ) {
|
||||
$self->lmLog( "Cannot verify $alg signature: no JWKS data found",
|
||||
'error' );
|
||||
$self->logger->error(
|
||||
"Cannot verify $alg signature: no JWKS data found");
|
||||
return 0;
|
||||
}
|
||||
|
||||
|
@ -858,7 +842,7 @@ sub verifyJWTSignature {
|
|||
my $kid = $jwt_header_hash->{kid};
|
||||
|
||||
if ($kid) {
|
||||
$self->lmLog( "Search key with id $kid", 'debug' );
|
||||
$self->logger->debug("Search key with id $kid");
|
||||
foreach (@$keys) {
|
||||
if ( $_->{kid} eq $kid ) {
|
||||
$key_hash = $_;
|
||||
|
@ -871,14 +855,14 @@ sub verifyJWTSignature {
|
|||
}
|
||||
|
||||
unless ($key_hash) {
|
||||
$self->lmLog( "No key found in JWKS data", 'error' );
|
||||
$self->logger->error("No key found in JWKS data");
|
||||
return 0;
|
||||
}
|
||||
|
||||
$self->lmLog( "Found public key parameter n: " . $key_hash->{n},
|
||||
'debug' );
|
||||
$self->lmLog( "Found public key parameter e: " . $key_hash->{e},
|
||||
'debug' );
|
||||
$self->logger->debug(
|
||||
"Found public key parameter n: " . $key_hash->{n} );
|
||||
$self->logger->debug(
|
||||
"Found public key parameter e: " . $key_hash->{e} );
|
||||
|
||||
# Create public key
|
||||
my $n =
|
||||
|
@ -909,7 +893,7 @@ sub verifyJWTSignature {
|
|||
}
|
||||
|
||||
# Other algorithms not managed
|
||||
$self->lmLog( "Algorithm $alg not known", 'debug' );
|
||||
$self->logger->debug("Algorithm $alg not known");
|
||||
|
||||
return 0;
|
||||
}
|
||||
|
@ -924,7 +908,7 @@ sub verifyJWTSignature {
|
|||
sub verifyHash {
|
||||
my ( $self, $value, $hash, $id_token ) = @_;
|
||||
|
||||
$self->lmLog( "Verification of value $value with hash $hash", 'debug' );
|
||||
$self->logger->debug("Verification of value $value with hash $hash");
|
||||
|
||||
# Extract ID token parts
|
||||
my $jwt_parts = $self->extractJWT($id_token);
|
||||
|
@ -937,13 +921,12 @@ sub verifyHash {
|
|||
# Get signature algorithm
|
||||
my $alg = $jwt_header_hash->{alg};
|
||||
|
||||
$self->lmLog( "ID Token signature algorithm: $alg", 'debug' );
|
||||
$self->logger->debug("ID Token signature algorithm: $alg");
|
||||
|
||||
if ( $alg eq "none" ) {
|
||||
|
||||
# Not supported
|
||||
$self->lmLog( "Cannot check hash without signature algorithm",
|
||||
'debug' );
|
||||
$self->logger->debug("Cannot check hash without signature algorithm");
|
||||
return 0;
|
||||
}
|
||||
|
||||
|
@ -952,20 +935,20 @@ sub verifyHash {
|
|||
# Hash Level
|
||||
my $hash_level = $1;
|
||||
|
||||
$self->lmLog( "Use SHA $hash_level to check hash", 'debug' );
|
||||
$self->logger->debug("Use SHA $hash_level to check hash");
|
||||
|
||||
my $cHash = $self->createHash( $value, $hash_level );
|
||||
|
||||
# Compare values
|
||||
unless ( $cHash eq $hash ) {
|
||||
$self->lmLog( "Hash $hash not equal to hash $cHash", 'debug' );
|
||||
$self->logger->debug("Hash $hash not equal to hash $cHash");
|
||||
return 0;
|
||||
}
|
||||
return 1;
|
||||
}
|
||||
|
||||
# Other algorithms not managed
|
||||
$self->lmLog( "Algorithm $alg not known", 'debug' );
|
||||
$self->logger->debug("Algorithm $alg not known");
|
||||
|
||||
return 0;
|
||||
}
|
||||
|
@ -977,7 +960,7 @@ sub verifyHash {
|
|||
sub createHash {
|
||||
my ( $self, $value, $hash_level ) = @_;
|
||||
|
||||
$self->lmLog( "Use SHA $hash_level to hash $value", 'debug' );
|
||||
$self->logger->debug("Use SHA $hash_level to hash $value");
|
||||
|
||||
my $hash;
|
||||
|
||||
|
@ -1059,15 +1042,15 @@ sub getEndPointAuthenticationCredentials {
|
|||
|
||||
my $authorization = $req->authorization;
|
||||
if ( $authorization and $authorization =~ /^Basic (\w+)/i ) {
|
||||
$self->lmLog( "Method client_secret_basic used", 'debug' );
|
||||
$self->logger->debug("Method client_secret_basic used");
|
||||
eval {
|
||||
( $client_id, $client_secret ) =
|
||||
split( /:/, decode_base64($1) );
|
||||
};
|
||||
$self->lmLog( "Bad authentication header: $@", 'error' ) if ($@);
|
||||
$self->logger->error("Bad authentication header: $@") if ($@);
|
||||
}
|
||||
elsif ( $req->param('client_id') and $req->param('client_secret') ) {
|
||||
$self->lmLog( "Method client_secret_post used", 'debug' );
|
||||
$self->logger->debug("Method client_secret_post used");
|
||||
$client_id = $req->param('client_id');
|
||||
$client_secret = $req->param('client_secret');
|
||||
}
|
||||
|
@ -1083,11 +1066,11 @@ sub getEndPointAccessToken {
|
|||
|
||||
my $authorization = $req->authorization;
|
||||
if ( $authorization =~ /^Bearer (\w+)/i ) {
|
||||
$self->lmLog( "Bearer access token", 'debug' );
|
||||
$self->logger->debug("Bearer access token");
|
||||
$access_token = $1;
|
||||
}
|
||||
elsif ( $access_token = $req->param('access_token') ) {
|
||||
$self->lmLog( "GET/POST access token", 'debug' );
|
||||
$self->logger->debug("GET/POST access token");
|
||||
}
|
||||
|
||||
return $access_token;
|
||||
|
@ -1115,7 +1098,7 @@ sub buildUserInfoResponse {
|
|||
my $apacheSession = $self->p->getApacheSession($user_session_id);
|
||||
|
||||
unless ($apacheSession) {
|
||||
$self->lmLog( "Unable to find user session", "error" );
|
||||
$self->logger->error("Unable to find user session");
|
||||
return undef;
|
||||
}
|
||||
my $user_id_attribute =
|
||||
|
@ -1124,14 +1107,14 @@ sub buildUserInfoResponse {
|
|||
|| $self->conf->{whatToTrace};
|
||||
my $user_id = $apacheSession->data->{$user_id_attribute};
|
||||
|
||||
$self->lmLog( "Found corresponding user: $user_id", 'debug' );
|
||||
$self->logger->debug("Found corresponding user: $user_id");
|
||||
|
||||
$userinfo_response->{sub} = $user_id;
|
||||
|
||||
# Parse scope and return allowed attributes
|
||||
foreach my $claim ( split( /\s/, $scope ) ) {
|
||||
next if ( $claim eq "openid" );
|
||||
$self->lmLog( "Get attributes linked to claim $claim", 'debug' );
|
||||
$self->logger->debug("Get attributes linked to claim $claim");
|
||||
my $list = $self->getAttributesListFromClaim( $rp, $claim );
|
||||
next unless $list;
|
||||
foreach my $attribute (@$list) {
|
||||
|
@ -1233,7 +1216,7 @@ sub createJWT {
|
|||
return $jwt_header . "." . $jwt_payload . "." . $digest;
|
||||
}
|
||||
|
||||
$self->lmLog( "Algorithm $alg not supported to sign JWT", 'debug' );
|
||||
$self->logger->debug("Algorithm $alg not supported to sign JWT");
|
||||
|
||||
return;
|
||||
}
|
||||
|
@ -1248,7 +1231,7 @@ sub createIDToken {
|
|||
# Get signature algorithm
|
||||
my $alg = $self->conf->{oidcRPMetaDataOptions}->{$rp}
|
||||
->{oidcRPMetaDataOptionsIDTokenSignAlg};
|
||||
$self->lmLog( "ID Token signature algorithm: $alg", 'debug' );
|
||||
$self->logger->debug("ID Token signature algorithm: $alg");
|
||||
|
||||
return $self->createJWT( $payload, $alg, $rp );
|
||||
}
|
||||
|
@ -1371,7 +1354,7 @@ sub getRequestJWT {
|
|||
my $response = $self->ua->get($request_uri);
|
||||
|
||||
if ( $response->is_error ) {
|
||||
$self->lmLog( "Unable to get request JWT on $request_uri", 'error' );
|
||||
$self->logger->error("Unable to get request JWT on $request_uri");
|
||||
return;
|
||||
}
|
||||
|
||||
|
|
|
@ -35,20 +35,19 @@ no warnings 'once';
|
|||
sub getUser {
|
||||
my ( $self, $req ) = @_;
|
||||
return PE_OK if ( $req->datas->{_proxyQueryDone} );
|
||||
$self->lmLog( 'Proxy push auth to ' . $self->conf->{proxyAuthService},
|
||||
'debug' );
|
||||
$self->logger->debug(
|
||||
'Proxy push auth to ' . $self->conf->{proxyAuthService} );
|
||||
my $resp = $self->ua->post( $self->conf->{proxyAuthService},
|
||||
{ user => $req->{user}, password => $req->datas->{password} } );
|
||||
unless ( $resp->is_success ) {
|
||||
$self->lmLog(
|
||||
'Unable to query authentication service: ' . $resp->status_line,
|
||||
'error' );
|
||||
$self->logger->error(
|
||||
'Unable to query authentication service: ' . $resp->status_line );
|
||||
return PE_ERROR;
|
||||
}
|
||||
$self->lmLog( 'Proxy gets a response', 'debug' );
|
||||
$self->logger->debug('Proxy gets a response');
|
||||
my $res = eval { JSON::from_json( $resp->content ) };
|
||||
if ($@) {
|
||||
$self->lmLog("Bad content: $@");
|
||||
$self->logger->error("Bad content: $@");
|
||||
return PE_ERROR;
|
||||
}
|
||||
$req->sessionInfo->{_proxyQueryDone}++;
|
||||
|
@ -58,11 +57,9 @@ sub getUser {
|
|||
}
|
||||
$req->sessionInfo->{_proxyCookies} = join '; ',
|
||||
map { s/;.*$//; $_ } $resp->header('Set-Cookie');
|
||||
$self->lmLog(
|
||||
'Store remote cookies in session ('
|
||||
. $req->sessionInfo->{_proxyCookies} . ')',
|
||||
'debug'
|
||||
);
|
||||
$self->logger->debug( 'Store remote cookies in session ('
|
||||
. $req->sessionInfo->{_proxyCookies}
|
||||
. ')' );
|
||||
PE_OK;
|
||||
}
|
||||
|
||||
|
@ -78,14 +75,14 @@ sub setSessionInfo {
|
|||
);
|
||||
my $resp = $self->ua->request($q);
|
||||
unless ( $resp->is_success ) {
|
||||
$self->lmLog( 'Unable to query session service: ' . $resp->status_line,
|
||||
'error' );
|
||||
$self->logger->error(
|
||||
'Unable to query session service: ' . $resp->status_line );
|
||||
return PE_ERROR;
|
||||
}
|
||||
$self->lmLog( 'Proxy gets a response', 'debug' );
|
||||
$self->logger->debug('Proxy gets a response');
|
||||
my $res = eval { JSON::from_json( $resp->content ) };
|
||||
if ($@) {
|
||||
$self->lmLog("Bad content: $@");
|
||||
$self->logger->error("Bad content: $@");
|
||||
return PE_ERROR;
|
||||
}
|
||||
foreach ( keys %$res ) {
|
||||
|
@ -97,7 +94,8 @@ sub setSessionInfo {
|
|||
|
||||
sub authLogout {
|
||||
my ( $self, $req ) = @_;
|
||||
$self->lmLog( 'Proxy ask logout to '. $self->conf->{proxyAuthService},'debug');
|
||||
$self->logger->debug(
|
||||
'Proxy ask logout to ' . $self->conf->{proxyAuthService} );
|
||||
my $q = HTTP::Request->new(
|
||||
GET => $self->conf->{proxyAuthService} . '?logout=1',
|
||||
[
|
||||
|
|
|
@ -56,8 +56,8 @@ sub checkRemoteId {
|
|||
);
|
||||
|
||||
if ( $remoteSession->error ) {
|
||||
$self->lmLog( "Remote session error", 'error' );
|
||||
$self->lmLog( $remoteSession->error, 'error' );
|
||||
$self->logger->error("Remote session error");
|
||||
$self->logger->error( $remoteSession->error );
|
||||
return PE_ERROR;
|
||||
}
|
||||
|
||||
|
|
|
@ -106,18 +106,18 @@ sub init {
|
|||
}
|
||||
|
||||
unless (LASSOTHINSESSIONS) {
|
||||
$self->lmLog( 'Lasso thin-sessions flag could not be set', 'warn' );
|
||||
$self->logger->warn('Lasso thin-sessions flag could not be set');
|
||||
}
|
||||
else {
|
||||
$self->lmLog( 'Lasso thin-sessions flag set', 'debug' );
|
||||
$self->logger->debug('Lasso thin-sessions flag set');
|
||||
}
|
||||
if (GLIB) {
|
||||
Glib::Log->set_handler(
|
||||
"Lasso",
|
||||
[qw/ error critical warning message info debug /],
|
||||
sub {
|
||||
$self->lmLog( $_[0] . " error " . $_[1] . ": " . $_[2],
|
||||
'debug' );
|
||||
$self->logger->debug(
|
||||
$_[0] . " error " . $_[1] . ": " . $_[2] );
|
||||
}
|
||||
);
|
||||
}
|
||||
|
@ -154,12 +154,12 @@ sub loadService {
|
|||
and $self->conf->{samlServicePublicKeySig} =~ /CERTIFICATE/ )
|
||||
{
|
||||
$serviceCertificate = $self->conf->{samlServicePublicKeySig};
|
||||
$self->lmLog( 'Certificate will be used in SAML responses', 'debug' );
|
||||
$self->logger->debug('Certificate will be used in SAML responses');
|
||||
|
||||
}
|
||||
|
||||
# Get metadata from configuration
|
||||
$self->lmLog( "Get Metadata for this service", 'debug' );
|
||||
$self->logger->debug("Get Metadata for this service");
|
||||
my $service_metadata = Lemonldap::NG::Common::Conf::SAML::Metadata->new();
|
||||
|
||||
# Create Lasso server with service metadata
|
||||
|
@ -188,7 +188,7 @@ sub loadService {
|
|||
$self->error('Unable to create Lasso server');
|
||||
return 0;
|
||||
}
|
||||
$self->lmLog( "Service created", 'debug' );
|
||||
$self->logger->debug("Service created");
|
||||
|
||||
return $server;
|
||||
}
|
||||
|
@ -200,7 +200,7 @@ sub loadIDPs {
|
|||
unless ( $self->conf->{samlIDPMetaDataXML}
|
||||
and keys %{ $self->conf->{samlIDPMetaDataXML} } )
|
||||
{
|
||||
$self->lmLog( "No IDP found in configuration", 'warn' );
|
||||
$self->logger->warn("No IDP found in configuration");
|
||||
}
|
||||
|
||||
# Load identity provider metadata
|
||||
|
@ -212,7 +212,7 @@ sub loadIDPs {
|
|||
# TODO: QUESTION: do we have to return 0 (<=> block initialization) if one
|
||||
# IdP load fails ?
|
||||
foreach ( keys %{ $self->conf->{samlIDPMetaDataXML} } ) {
|
||||
$self->lmLog( "Get Metadata for IDP $_", 'debug' );
|
||||
$self->logger->debug("Get Metadata for IDP $_");
|
||||
|
||||
my $idp_metadata =
|
||||
$self->conf->{samlIDPMetaDataXML}->{$_}->{samlIDPMetaDataXML};
|
||||
|
@ -261,10 +261,9 @@ sub loadIDPs {
|
|||
return 0;
|
||||
}
|
||||
|
||||
$self->lmLog( "Set encryption mode $encryption_mode on IDP $_",
|
||||
'debug' );
|
||||
$self->logger->debug("Set encryption mode $encryption_mode on IDP $_");
|
||||
|
||||
$self->lmLog( "IDP $_ added", 'debug' );
|
||||
$self->logger->debug("IDP $_ added");
|
||||
}
|
||||
return 1;
|
||||
}
|
||||
|
@ -276,7 +275,7 @@ sub loadSPs {
|
|||
unless ( $self->conf->{samlSPMetaDataXML}
|
||||
and keys %{ $self->conf->{samlSPMetaDataXML} } )
|
||||
{
|
||||
$self->lmLog( "No SP found in configuration", 'warn' );
|
||||
$self->logger->warn("No SP found in configuration");
|
||||
}
|
||||
|
||||
# Load service provider metadata
|
||||
|
@ -286,7 +285,7 @@ sub loadSPs {
|
|||
$self->spList( {} );
|
||||
foreach ( keys %{ $self->conf->{samlSPMetaDataXML} } ) {
|
||||
|
||||
$self->lmLog( "Get Metadata for SP $_", 'debug' );
|
||||
$self->logger->debug("Get Metadata for SP $_");
|
||||
|
||||
my $sp_metadata =
|
||||
$self->conf->{samlSPMetaDataXML}->{$_}->{samlSPMetaDataXML};
|
||||
|
@ -335,10 +334,9 @@ sub loadSPs {
|
|||
return 0;
|
||||
}
|
||||
|
||||
$self->lmLog( "Set encryption mode $encryption_mode on SP $_",
|
||||
'debug' );
|
||||
$self->logger->debug("Set encryption mode $encryption_mode on SP $_");
|
||||
|
||||
$self->lmLog( "SP $_ added", 'debug' );
|
||||
$self->logger->debug("SP $_ added");
|
||||
}
|
||||
|
||||
return 1;
|
||||
|
@ -365,13 +363,13 @@ sub checkMessage {
|
|||
if ( $request_method eq 'GET' ) {
|
||||
|
||||
$method = Lasso::Constants::HTTP_METHOD_REDIRECT;
|
||||
$self->lmLog( "SAML method: HTTP-REDIRECT", 'debug' );
|
||||
$self->logger->debug("SAML method: HTTP-REDIRECT");
|
||||
|
||||
if ( $req->param('SAMLResponse') ) {
|
||||
|
||||
# Response in query string
|
||||
$response = $self->getQueryString($req);
|
||||
$self->lmLog( "HTTP-REDIRECT: SAML Response $response", 'debug' );
|
||||
$self->logger->debug("HTTP-REDIRECT: SAML Response $response");
|
||||
|
||||
}
|
||||
|
||||
|
@ -379,7 +377,7 @@ sub checkMessage {
|
|||
|
||||
# Request in query string
|
||||
$request = $self->getQueryString($req);
|
||||
$self->lmLog( "HTTP-REDIRECT: SAML Request $request", 'debug' );
|
||||
$self->logger->debug("HTTP-REDIRECT: SAML Request $request");
|
||||
|
||||
}
|
||||
|
||||
|
@ -387,7 +385,7 @@ sub checkMessage {
|
|||
|
||||
# Artifact in query string
|
||||
$artifact = $self->getQueryString($req);
|
||||
$self->lmLog( "HTTP-REDIRECT: SAML Artifact $artifact", 'debug' );
|
||||
$self->logger->debug("HTTP-REDIRECT: SAML Artifact $artifact");
|
||||
|
||||
# Resolve Artifact
|
||||
$method = Lasso::Constants::HTTP_METHOD_ARTIFACT_GET;
|
||||
|
@ -411,13 +409,13 @@ sub checkMessage {
|
|||
if ( $content_type !~ /xml/ ) {
|
||||
|
||||
$method = Lasso::Constants::HTTP_METHOD_POST;
|
||||
$self->lmLog( "SAML method: HTTP-POST", 'debug' );
|
||||
$self->logger->debug("SAML method: HTTP-POST");
|
||||
|
||||
if ( $req->param('SAMLResponse') ) {
|
||||
|
||||
# Response in body part
|
||||
$response = $req->param('SAMLResponse');
|
||||
$self->lmLog( "HTTP-POST: SAML Response $response", 'debug' );
|
||||
$self->logger->debug("HTTP-POST: SAML Response $response");
|
||||
|
||||
}
|
||||
|
||||
|
@ -425,7 +423,7 @@ sub checkMessage {
|
|||
|
||||
# Request in body part
|
||||
$request = $req->param('SAMLRequest');
|
||||
$self->lmLog( "HTTP-POST: SAML Request $request", 'debug' );
|
||||
$self->logger->debug("HTTP-POST: SAML Request $request");
|
||||
|
||||
}
|
||||
|
||||
|
@ -433,7 +431,7 @@ sub checkMessage {
|
|||
|
||||
# Artifact in SAMLart param
|
||||
$artifact = $req->param('SAMLart');
|
||||
$self->lmLog( "HTTP-POST: SAML Artifact $artifact", 'debug' );
|
||||
$self->logger->debug("HTTP-POST: SAML Artifact $artifact");
|
||||
|
||||
# Resolve Artifact
|
||||
$method = Lasso::Constants::HTTP_METHOD_ARTIFACT_POST;
|
||||
|
@ -456,11 +454,11 @@ sub checkMessage {
|
|||
else {
|
||||
|
||||
$method = Lasso::Constants::HTTP_METHOD_SOAP;
|
||||
$self->lmLog( "SAML method: HTTP-SOAP", 'debug' );
|
||||
$self->logger->debug("SAML method: HTTP-SOAP");
|
||||
|
||||
# SOAP is always a request
|
||||
$request = $req->content;
|
||||
$self->lmLog( "HTTP-SOAP: SAML Request $request", 'debug' );
|
||||
$self->logger->debug("HTTP-SOAP: SAML Request $request");
|
||||
|
||||
}
|
||||
|
||||
|
@ -482,13 +480,13 @@ sub checkLassoError {
|
|||
# If $error is not a Lasso::Error object, display error string
|
||||
unless ( ref($error) and $error->isa("Lasso::Error") ) {
|
||||
return 1 unless $error;
|
||||
$self->lmLog( "Lasso error: $error", $level );
|
||||
$self->p->lmLog( "Lasso error: $error", $level );
|
||||
return 0;
|
||||
}
|
||||
|
||||
# Else check error code and error message
|
||||
if ( $error->{code} ) {
|
||||
$self->lmLog(
|
||||
$self->p->lmLog(
|
||||
"Lasso error code " . $error->{code} . ": " . $error->{message},
|
||||
$level );
|
||||
return 0;
|
||||
|
@ -696,14 +694,14 @@ sub createAuthnRequest {
|
|||
my $login = $self->createLogin($server);
|
||||
|
||||
unless ($login) {
|
||||
$self->lmLog( 'Unable to create Lasso login', 'error' );
|
||||
$self->logger->error('Unable to create Lasso login');
|
||||
return;
|
||||
}
|
||||
|
||||
# Init authentication request
|
||||
unless ( $self->initAuthnRequest( $login, $idp, $method ) ) {
|
||||
$self->lmLog( "Could not initiate authentication request on $idp",
|
||||
'error' );
|
||||
$self->logger->error(
|
||||
"Could not initiate authentication request on $idp");
|
||||
return;
|
||||
}
|
||||
|
||||
|
@ -712,7 +710,7 @@ sub createAuthnRequest {
|
|||
$self->storeRelayState( $req, 'urldc', 'checkLogins' ) )
|
||||
{
|
||||
$login->msg_relayState($relaystate);
|
||||
$self->lmLog( "Set $relaystate in RelayState", 'debug' );
|
||||
$self->logger->debug("Set $relaystate in RelayState");
|
||||
}
|
||||
|
||||
# Customize request
|
||||
|
@ -724,7 +722,7 @@ sub createAuthnRequest {
|
|||
# * Forward some authn constraints
|
||||
if ( $req->datas->{_proxiedSamlRequest} ) {
|
||||
|
||||
$self->lmLog( "IDP Proxy mode detected", 'debug' );
|
||||
$self->logger->debug("IDP Proxy mode detected");
|
||||
|
||||
# Get ProxyCount value
|
||||
eval {
|
||||
|
@ -735,12 +733,12 @@ sub createAuthnRequest {
|
|||
# Deny request if ProxyCount eq 0
|
||||
if ( defined $proxyCount ) {
|
||||
|
||||
$self->lmLog( "Found proxyCount $proxyCount in proxied request",
|
||||
'debug' );
|
||||
$self->logger->debug(
|
||||
"Found proxyCount $proxyCount in proxied request");
|
||||
|
||||
if ( $proxyCount eq 0 ) {
|
||||
$self->lmLog( "SAML request cannot be proxied (ProxyCount 0)",
|
||||
'error' );
|
||||
$self->userLogger->error(
|
||||
"SAML request cannot be proxied (ProxyCount 0)");
|
||||
return;
|
||||
}
|
||||
else {
|
||||
|
@ -767,7 +765,7 @@ sub createAuthnRequest {
|
|||
|
||||
# NameIDFormat
|
||||
if ($nameIDFormat) {
|
||||
$self->lmLog( "Use NameIDFormat $nameIDFormat", 'debug' );
|
||||
$self->logger->debug("Use NameIDFormat $nameIDFormat");
|
||||
$request->NameIDPolicy()->Format($nameIDFormat);
|
||||
}
|
||||
|
||||
|
@ -776,19 +774,19 @@ sub createAuthnRequest {
|
|||
|
||||
# Force authentication
|
||||
if ($forceAuthn) {
|
||||
$self->lmLog( "Force authentication on IDP", 'debug' );
|
||||
$self->logger->debug("Force authentication on IDP");
|
||||
$request->ForceAuthn(1);
|
||||
}
|
||||
|
||||
# Passive authentication
|
||||
if ($isPassive) {
|
||||
$self->lmLog( "Passive authentication on IDP", 'debug' );
|
||||
$self->logger->debug("Passive authentication on IDP");
|
||||
$request->IsPassive(1);
|
||||
}
|
||||
|
||||
# Allow proxy
|
||||
unless ($allowProxiedAuthn) {
|
||||
$self->lmLog( "Do not allow this request to be proxied", 'debug' );
|
||||
$self->logger->debug("Do not allow this request to be proxied");
|
||||
eval {
|
||||
my $proxyRestriction = Lasso::Saml2ProxyRestriction->new();
|
||||
$proxyRestriction->Audience($idp);
|
||||
|
@ -806,25 +804,24 @@ sub createAuthnRequest {
|
|||
|
||||
# Signature
|
||||
if ( $signSSOMessage == 0 ) {
|
||||
$self->lmLog( "SSO request will not be signed", 'debug' );
|
||||
$self->logger->debug("SSO request will not be signed");
|
||||
$self->disableSignature($login);
|
||||
}
|
||||
elsif ( $signSSOMessage == 1 ) {
|
||||
$self->lmLog( "SSO request will be signed", 'debug' );
|
||||
$self->logger->debug("SSO request will be signed");
|
||||
$self->forceSignature($login);
|
||||
}
|
||||
else {
|
||||
$self->lmLog( "SSO request signature according to metadata", 'debug' );
|
||||
$self->logger->debug("SSO request signature according to metadata");
|
||||
}
|
||||
|
||||
# Requested authentication context
|
||||
if ($proxyRequestedAuthnContext) {
|
||||
$self->lmLog( "Use RequestedAuthnContext from proxied request",
|
||||
'debug' );
|
||||
$self->logger->debug("Use RequestedAuthnContext from proxied request");
|
||||
$request->RequestedAuthnContext($proxyRequestedAuthnContext);
|
||||
}
|
||||
elsif ($requestedAuthnContext) {
|
||||
$self->lmLog( "Request $requestedAuthnContext context", 'debug' );
|
||||
$self->logger->debug("Request $requestedAuthnContext context");
|
||||
eval {
|
||||
my $context = Lasso::Samlp2RequestedAuthnContext->new();
|
||||
$context->AuthnContextClassRef($requestedAuthnContext);
|
||||
|
@ -839,8 +836,7 @@ sub createAuthnRequest {
|
|||
|
||||
# Build authentication request
|
||||
unless ( $self->buildAuthnRequestMsg($login) ) {
|
||||
$self->lmLog( "Could not build authentication request on $idp",
|
||||
'error' );
|
||||
$self->logger->error("Could not build authentication request on $idp");
|
||||
return;
|
||||
}
|
||||
|
||||
|
@ -1145,7 +1141,7 @@ sub extractRelayState {
|
|||
|
||||
return 0 unless $relaystate;
|
||||
if ( $relayStateURL and $relaystate =~ /^https?:\/\// ) {
|
||||
$self->lmLog( "RelayState is a redirection URL: $relaystate", 'debug' );
|
||||
$self->logger->debug("RelayState is a redirection URL: $relaystate");
|
||||
$req->{urldc} = $relaystate;
|
||||
return 1;
|
||||
}
|
||||
|
@ -1164,11 +1160,11 @@ sub extractRelayState {
|
|||
|
||||
# delete relaystate session
|
||||
if ( $samlSessionInfo->remove ) {
|
||||
$self->lmLog( "Relaystate $relaystate was deleted", 'debug' );
|
||||
$self->logger->debug("Relaystate $relaystate was deleted");
|
||||
}
|
||||
else {
|
||||
$self->lmLog( "Unable to delete relaystate $relaystate", 'error' );
|
||||
$self->lmLog( $samlSessionInfo->error, 'error' );
|
||||
$self->logger->error("Unable to delete relaystate $relaystate");
|
||||
$self->logger->error( $samlSessionInfo->error );
|
||||
}
|
||||
|
||||
}
|
||||
|
@ -1258,8 +1254,7 @@ sub validateConditions {
|
|||
# Time
|
||||
if ($checkTime) {
|
||||
eval {
|
||||
$status =
|
||||
Lasso::Saml2Assertion::validate_time_checks( $assertion,
|
||||
$status = Lasso::Saml2Assertion::validate_time_checks( $assertion,
|
||||
$tolerance );
|
||||
};
|
||||
|
||||
|
@ -1269,15 +1264,14 @@ sub validateConditions {
|
|||
}
|
||||
|
||||
unless ( $status eq Lasso::Constants::SAML2_ASSERTION_VALID ) {
|
||||
$self->lmLog( "Time conditions validations result: $status",
|
||||
'error' );
|
||||
$self->logger->error("Time conditions validations result: $status");
|
||||
return 0;
|
||||
}
|
||||
|
||||
$self->lmLog( "Time conditions validated", 'debug' );
|
||||
$self->logger->debug("Time conditions validated");
|
||||
}
|
||||
else {
|
||||
$self->lmLog( "Time conditions not checked", 'debug' );
|
||||
$self->logger->debug("Time conditions not checked");
|
||||
}
|
||||
|
||||
# Audience
|
||||
|
@ -1293,15 +1287,15 @@ sub validateConditions {
|
|||
}
|
||||
|
||||
unless ( $status eq Lasso::Constants::SAML2_ASSERTION_VALID ) {
|
||||
$self->lmLog( "Audience conditions validations result: $status",
|
||||
'error' );
|
||||
$self->logger->error(
|
||||
"Audience conditions validations result: $status");
|
||||
return 0;
|
||||
}
|
||||
|
||||
$self->lmLog( "Audience conditions validated", 'debug' );
|
||||
$self->logger->debug("Audience conditions validated");
|
||||
}
|
||||
else {
|
||||
$self->lmLog( "Audience conditions not checked", 'debug' );
|
||||
$self->logger->debug("Audience conditions not checked");
|
||||
}
|
||||
|
||||
return 1;
|
||||
|
@ -1322,39 +1316,38 @@ sub createLogoutRequest {
|
|||
my $logout = $self->createLogout($server);
|
||||
|
||||
unless ( $self->setSessionFromDump( $logout, $session_dump ) ) {
|
||||
$self->lmLog( "Could not fill Lasso::Logout with session dump",
|
||||
'error' );
|
||||
$self->logger->error("Could not fill Lasso::Logout with session dump");
|
||||
return;
|
||||
}
|
||||
|
||||
# Init logout request
|
||||
unless ( $self->initLogoutRequest( $logout, undef, $method ) ) {
|
||||
$self->lmLog( "Could not initiate logout request", 'error' );
|
||||
$self->logger->error("Could not initiate logout request");
|
||||
return;
|
||||
}
|
||||
|
||||
# Set RelayState
|
||||
if ( my $relaystate = $self->storeRelayState( $req, 'urldc' ) ) {
|
||||
$logout->msg_relayState($relaystate);
|
||||
$self->lmLog( "Set $relaystate in RelayState", 'debug' );
|
||||
$self->logger->debug("Set $relaystate in RelayState");
|
||||
}
|
||||
|
||||
# Signature
|
||||
if ( $signSLOMessage == 0 ) {
|
||||
$self->lmLog( "SLO request will not be signed", 'debug' );
|
||||
$self->logger->debug("SLO request will not be signed");
|
||||
$self->disableSignature($logout);
|
||||
}
|
||||
elsif ( $signSLOMessage == 1 ) {
|
||||
$self->lmLog( "SLO request will be signed", 'debug' );
|
||||
$self->logger->debug("SLO request will be signed");
|
||||
$self->forceSignature($logout);
|
||||
}
|
||||
else {
|
||||
$self->lmLog( "SLO request signature according to metadata", 'debug' );
|
||||
$self->logger->debug("SLO request signature according to metadata");
|
||||
}
|
||||
|
||||
# Build logout request
|
||||
unless ( $self->buildLogoutRequestMsg($logout) ) {
|
||||
$self->lmLog( "Could not build logout request", 'error' );
|
||||
$self->logger->error("Could not build logout request");
|
||||
return;
|
||||
}
|
||||
|
||||
|
@ -1420,7 +1413,7 @@ sub buildLogoutRequestMsg {
|
|||
sub setSessionFromDump {
|
||||
my ( $self, $profile, $dump ) = @_;
|
||||
|
||||
$self->lmLog( "Loading Session dump: $dump", 'debug' );
|
||||
$self->logger->debug("Loading Session dump: $dump");
|
||||
|
||||
eval { Lasso::Profile::set_session_from_dump( $profile, $dump ); };
|
||||
|
||||
|
@ -1475,7 +1468,7 @@ sub getRouteFromMetaDataURL {
|
|||
my ( $self, $key, $index, $sub ) = @_;
|
||||
my $uri = $self->getMetaDataURL( $key, $index, 0 );
|
||||
unless ( $uri =~ m#^/\w# ) {
|
||||
$self->lmLog( "$key has no index $index", 'debug' );
|
||||
$self->logger->debug("$key has no index $index");
|
||||
return ();
|
||||
}
|
||||
my @t = grep /\w/, split( /\//, $uri );
|
||||
|
@ -1539,8 +1532,7 @@ sub processLogoutRequestMsg {
|
|||
|
||||
return 1 if ( $@ or !$notOnOrAfter );
|
||||
|
||||
$self->lmLog( "Found NotOnOrAfter $notOnOrAfter in logout request",
|
||||
'debug' );
|
||||
$self->logger->debug("Found NotOnOrAfter $notOnOrAfter in logout request");
|
||||
|
||||
my $expirationTime = $self->samldate2timestamp($notOnOrAfter);
|
||||
|
||||
|
@ -1597,8 +1589,8 @@ sub storeReplayProtection {
|
|||
|
||||
my $session_id = $samlSessionInfo->id;
|
||||
|
||||
$self->lmLog( "Keep request ID $samlID in assertion session $session_id",
|
||||
'debug' );
|
||||
$self->logger->debug(
|
||||
"Keep request ID $samlID in assertion session $session_id");
|
||||
|
||||
return 1;
|
||||
}
|
||||
|
@ -1611,8 +1603,8 @@ sub replayProtection {
|
|||
my ( $self, $samlID ) = @_;
|
||||
|
||||
unless ($samlID) {
|
||||
$self->lmLog( "Cannot verify replay because no SAML ID given",
|
||||
'error' );
|
||||
$self->userLogger->error(
|
||||
"Cannot verify replay because no SAML ID given");
|
||||
return 0;
|
||||
}
|
||||
|
||||
|
@ -1639,18 +1631,16 @@ sub replayProtection {
|
|||
}
|
||||
|
||||
if ( $samlSessionInfo->remove ) {
|
||||
$self->lmLog(
|
||||
"Assertion session $session (Message ID $samlID) was deleted",
|
||||
'debug'
|
||||
$self->logger->debug(
|
||||
"Assertion session $session (Message ID $samlID) was deleted"
|
||||
);
|
||||
return $result;
|
||||
}
|
||||
else {
|
||||
$self->lmLog(
|
||||
"Unable to delete assertion session $session (Message ID $samlID)",
|
||||
'error'
|
||||
$self->logger->error(
|
||||
"Unable to delete assertion session $session (Message ID $samlID)"
|
||||
);
|
||||
$self->lmLog( $samlSessionInfo->error, 'error' );
|
||||
$self->logger->error( $samlSessionInfo->error );
|
||||
return 0;
|
||||
}
|
||||
}
|
||||
|
@ -1681,7 +1671,7 @@ sub resolveArtifact {
|
|||
return unless $self->checkLassoError($@);
|
||||
|
||||
unless ( $profile->msg_url ) {
|
||||
$self->lmLog( "No artifact resolution URL found", 'error' );
|
||||
$self->logger->error("No artifact resolution URL found");
|
||||
return;
|
||||
}
|
||||
|
||||
|
@ -1690,15 +1680,14 @@ sub resolveArtifact {
|
|||
$request->header( Accept => 'application/xml' );
|
||||
$request->content( $profile->msg_body );
|
||||
|
||||
$self->lmLog(
|
||||
"Send message " . $profile->msg_body . " to " . $profile->msg_url,
|
||||
'debug' );
|
||||
$self->logger->debug(
|
||||
"Send message " . $profile->msg_body . " to " . $profile->msg_url );
|
||||
|
||||
# SOAP call
|
||||
my $soap_answer = $self->ua->request($request);
|
||||
if ( $soap_answer->code() == "200" ) {
|
||||
$message = $soap_answer->content();
|
||||
$self->lmLog( "Get message $message", 'debug' );
|
||||
$self->logger->debug("Get message $message");
|
||||
}
|
||||
}
|
||||
|
||||
|
@ -1730,7 +1719,7 @@ sub storeArtifact {
|
|||
|
||||
my $art_session_id = $samlSessionInfo->id;
|
||||
|
||||
$self->lmLog( "Keep artifact $id in session $art_session_id", 'debug' );
|
||||
$self->logger->debug("Keep artifact $id in session $art_session_id");
|
||||
|
||||
return 1;
|
||||
}
|
||||
|
@ -1744,7 +1733,7 @@ sub loadArtifact {
|
|||
my $art_session;
|
||||
|
||||
unless ($id) {
|
||||
$self->lmLog( "Cannot load artifact because no id given", 'error' );
|
||||
$self->logger->error("Cannot load artifact because no id given");
|
||||
return;
|
||||
}
|
||||
|
||||
|
@ -1758,7 +1747,7 @@ sub loadArtifact {
|
|||
|
||||
my $nb_sessions = $#keys + 1;
|
||||
|
||||
$self->lmLog( "Found $nb_sessions sessions for artifact $id", 'debug' );
|
||||
$self->logger->debug("Found $nb_sessions sessions for artifact $id");
|
||||
|
||||
# There should only be 1 result
|
||||
return if ( $nb_sessions != 1 );
|
||||
|
@ -1778,15 +1767,15 @@ sub loadArtifact {
|
|||
|
||||
# Delete session
|
||||
if ( $samlSessionInfo->remove ) {
|
||||
$self->lmLog( "Artifact session $session (ID $id) was deleted",
|
||||
'debug' );
|
||||
$self->logger->debug(
|
||||
"Artifact session $session (ID $id) was deleted");
|
||||
|
||||
return $art_session;
|
||||
}
|
||||
else {
|
||||
$self->lmLog( "Unable to delete artifact session $session (ID $id)",
|
||||
'error' );
|
||||
$self->lmLog( $samlSessionInfo->error, 'error' );
|
||||
$self->logger->error(
|
||||
"Unable to delete artifact session $session (ID $id)");
|
||||
$self->logger->error( $samlSessionInfo->error );
|
||||
return;
|
||||
}
|
||||
}
|
||||
|
@ -1808,21 +1797,20 @@ sub createArtifactResponse {
|
|||
eval { $login->set_artifact_message( $art_session->{message} ); };
|
||||
if ($@) {
|
||||
$self->checkLassoError($@);
|
||||
$self->lmLog( "Cannot load artifact message", 'error' );
|
||||
$self->logger->error("Cannot load artifact message");
|
||||
return;
|
||||
}
|
||||
|
||||
$self->lmLog( "Response loaded", 'debug' );
|
||||
$self->logger->debug("Response loaded");
|
||||
|
||||
# Try to get Lasso session
|
||||
my $session_id = $art_session->{_saml_id};
|
||||
if ($session_id) {
|
||||
$self->lmLog( "Find session_id $session_id in artifact session",
|
||||
'debug' );
|
||||
$self->logger->debug("Find session_id $session_id in artifact session");
|
||||
|
||||
my $session = $self->p->getApacheSession($session_id);
|
||||
unless ($session) {
|
||||
$self->lmLog( "Unable to open session $session_id", 'error' );
|
||||
$self->logger->error("Unable to open session $session_id");
|
||||
return;
|
||||
}
|
||||
|
||||
|
@ -1830,29 +1818,29 @@ sub createArtifactResponse {
|
|||
|
||||
if ($lassoSession) {
|
||||
unless ( $self->setSessionFromDump( $login, $lassoSession ) ) {
|
||||
$self->lmLog( "Unable to load Lasso Session", 'error' );
|
||||
$self->logger->error("Unable to load Lasso Session");
|
||||
return;
|
||||
}
|
||||
$self->lmLog( "Lasso Session loaded", 'debug' );
|
||||
$self->logger->debug("Lasso Session loaded");
|
||||
}
|
||||
|
||||
}
|
||||
else {
|
||||
$self->lmLog( "No session_id in artifact session", 'debug' );
|
||||
$self->logger->debug("No session_id in artifact session");
|
||||
}
|
||||
|
||||
# Build artifact response
|
||||
eval { Lasso::Login::build_response_msg($login); };
|
||||
if ($@) {
|
||||
$self->checkLassoError($@);
|
||||
$self->lmLog( "Cannot build artifact response", 'error' );
|
||||
$self->logger->error("Cannot build artifact response");
|
||||
return;
|
||||
}
|
||||
$self->lmLog( "Artifact response built", 'debug' );
|
||||
$self->logger->debug("Artifact response built");
|
||||
|
||||
# Store Lasso session if session opened
|
||||
if ( $session_id and $login->is_session_dirty ) {
|
||||
$self->lmLog( "Save Lasso session in session", 'debug' );
|
||||
$self->logger->debug("Save Lasso session in session");
|
||||
$self->updateSession( $req,
|
||||
{ _lassoSessionDump => $login->get_session->dump }, $session_id );
|
||||
}
|
||||
|
@ -1913,16 +1901,16 @@ sub sendSOAPMessage {
|
|||
$request->header( Accept => 'application/xml' );
|
||||
$request->content($message);
|
||||
|
||||
$self->lmLog( "Send SOAP message $message to $endpoint", 'debug' );
|
||||
$self->logger->debug("Send SOAP message $message to $endpoint");
|
||||
|
||||
# SOAP call
|
||||
my $soap_answer = $self->ua()->request($request);
|
||||
if ( $soap_answer->code() == "200" ) {
|
||||
$response = $soap_answer->content();
|
||||
$self->lmLog( "Get response $response", 'debug' );
|
||||
$self->logger->debug("Get response $response");
|
||||
}
|
||||
else {
|
||||
$self->lmLog( "No response to SOAP request", 'debug' );
|
||||
$self->logger->debug("No response to SOAP request");
|
||||
return;
|
||||
}
|
||||
|
||||
|
@ -1961,7 +1949,7 @@ sub createAttributeRequest {
|
|||
# Create assertion query
|
||||
return unless ( $query = $self->createAssertionQuery($server) );
|
||||
|
||||
$self->lmLog( "Assertion query created", 'debug' );
|
||||
$self->logger->debug("Assertion query created");
|
||||
|
||||
# Init request
|
||||
my $method = Lasso::Constants::HTTP_METHOD_SOAP;
|
||||
|
@ -1974,7 +1962,7 @@ sub createAttributeRequest {
|
|||
return;
|
||||
}
|
||||
|
||||
$self->lmLog( "Assertion query request initiated", 'debug' );
|
||||
$self->logger->debug("Assertion query request initiated");
|
||||
|
||||
# Set NameID
|
||||
eval { $query->request()->Subject()->NameID($nameid); };
|
||||
|
@ -1983,8 +1971,8 @@ sub createAttributeRequest {
|
|||
return;
|
||||
}
|
||||
|
||||
$self->lmLog( "Set NameID " . $nameid->dump . " in assertion query",
|
||||
'debug' );
|
||||
$self->logger->debug(
|
||||
"Set NameID " . $nameid->dump . " in assertion query" );
|
||||
|
||||
# Store attributes in request
|
||||
my @requested_attributes;
|
||||
|
@ -2053,7 +2041,7 @@ sub processAttributeRequest {
|
|||
# Create assertion query
|
||||
return unless ( $query = $self->createAssertionQuery($server) );
|
||||
|
||||
$self->lmLog( "Assertion query created", 'debug' );
|
||||
$self->logger->debug("Assertion query created");
|
||||
|
||||
# Process response
|
||||
eval { Lasso::AssertionQuery::process_request_msg( $query, $request ); };
|
||||
|
@ -2062,7 +2050,7 @@ sub processAttributeRequest {
|
|||
return;
|
||||
}
|
||||
|
||||
$self->lmLog( "Attribute request is valid", 'debug' );
|
||||
$self->logger->debug("Attribute request is valid");
|
||||
|
||||
return $query;
|
||||
}
|
||||
|
@ -2096,7 +2084,7 @@ sub processAttributeResponse {
|
|||
# Create assertion query
|
||||
return unless ( $query = $self->createAssertionQuery($server) );
|
||||
|
||||
$self->lmLog( "Assertion query created", 'debug' );
|
||||
$self->logger->debug("Assertion query created");
|
||||
|
||||
# Process response
|
||||
eval { Lasso::AssertionQuery::process_response_msg( $query, $response ); };
|
||||
|
@ -2105,7 +2093,7 @@ sub processAttributeResponse {
|
|||
return;
|
||||
}
|
||||
|
||||
$self->lmLog( "Attribute response is valid", 'debug' );
|
||||
$self->logger->debug("Attribute response is valid");
|
||||
|
||||
return $query;
|
||||
}
|
||||
|
@ -2305,8 +2293,8 @@ sub timestamp2samldate {
|
|||
my @t = gmtime($timestamp);
|
||||
my $samldate = strftime( "%Y-%m-%dT%TZ", @t );
|
||||
|
||||
$self->lmLog( "Convert timestamp $timestamp in SAML2 date: $samldate",
|
||||
'debug' );
|
||||
$self->logger->debug(
|
||||
"Convert timestamp $timestamp in SAML2 date: $samldate");
|
||||
|
||||
return $samldate;
|
||||
}
|
||||
|
@ -2318,15 +2306,14 @@ sub timestamp2samldate {
|
|||
sub samldate2timestamp {
|
||||
my ( $self, $samldate ) = @_;
|
||||
|
||||
my ( $year, $mon, $mday, $hour, $min, $sec, $msec, $ztime ) =
|
||||
( $samldate =~
|
||||
my ( $year, $mon, $mday, $hour, $min, $sec, $msec, $ztime ) = ( $samldate =~
|
||||
/(\d{4})-(\d{2})-(\d{2})T(\d{2}):(\d{2}):(\d{2})(\.\d+)?(Z)?/ );
|
||||
|
||||
my $timestamp =
|
||||
timegm( $sec, $min, $hour, $mday, $mon - 1, $year - 1900, 0 );
|
||||
|
||||
$self->lmLog( "Convert SAML2 date $samldate in timestamp: $timestamp",
|
||||
'debug' );
|
||||
$self->logger->debug(
|
||||
"Convert SAML2 date $samldate in timestamp: $timestamp");
|
||||
|
||||
return $timestamp;
|
||||
}
|
||||
|
@ -2403,7 +2390,7 @@ sub sendLogoutRequestToProvider {
|
|||
|
||||
# Find EntityID in spList or idpList
|
||||
unless ( defined $self->{ lc($type) . 'List' }->{$providerID} ) {
|
||||
$self->lmLog( "$providerID does not match any known $type", 'error' );
|
||||
$self->logger->error("$providerID does not match any known $type");
|
||||
return ( 0, undef, undef );
|
||||
}
|
||||
|
||||
|
@ -2429,56 +2416,54 @@ sub sendLogoutRequestToProvider {
|
|||
->{ 'saml' . $type . 'MetaDataOptionsSignSLOMessage' };
|
||||
|
||||
if ( $signSLOMessage == 0 ) {
|
||||
$self->lmLog( "SLO request will not be signed", 'debug' );
|
||||
$self->logger->debug("SLO request will not be signed");
|
||||
$self->disableSignature($logout);
|
||||
}
|
||||
elsif ( $signSLOMessage == 1 ) {
|
||||
$self->lmLog( "SLO request will be signed", 'debug' );
|
||||
$self->logger->debug("SLO request will be signed");
|
||||
$self->forceSignature($logout);
|
||||
}
|
||||
else {
|
||||
$self->lmLog( "SLO request signature according to metadata", 'debug' );
|
||||
$self->logger->debug("SLO request signature according to metadata");
|
||||
}
|
||||
|
||||
# Relay State
|
||||
if ($relayState) {
|
||||
eval { $logout->msg_relayState($relayState); };
|
||||
if ($@) {
|
||||
$self->lmLog(
|
||||
"Unable to set Relay State $relayState in SLO request for $confKey",
|
||||
'error'
|
||||
$self->logger->error(
|
||||
"Unable to set Relay State $relayState in SLO request for $confKey"
|
||||
);
|
||||
return ( 0, $method, undef );
|
||||
}
|
||||
$self->lmLog( 'Relay state set', 'debug' );
|
||||
$self->logger->debug('Relay state set');
|
||||
}
|
||||
|
||||
# Build the request
|
||||
unless ( $logout->request() ) {
|
||||
|
||||
$self->lmLog( "No logout request found, build it", 'debug' );
|
||||
$self->logger->debug("No logout request found, build it");
|
||||
|
||||
# Initiate the logout request
|
||||
unless ( $self->initLogoutRequest( $logout, $providerID, $method ) ) {
|
||||
$self->lmLog( "Initiate logout request failed for $providerID",
|
||||
'error' );
|
||||
$self->logger->error(
|
||||
"Initiate logout request failed for $providerID");
|
||||
return ( 0, $method, undef );
|
||||
}
|
||||
|
||||
# Build request message
|
||||
unless ( $self->buildLogoutRequestMsg($logout) ) {
|
||||
$self->lmLog( "Build logout request failed for $providerID",
|
||||
'error' );
|
||||
$self->logger->error("Build logout request failed for $providerID");
|
||||
return ( 0, $method, undef );
|
||||
}
|
||||
|
||||
$self->lmLog( "Request built for $providerID", 'debug' );
|
||||
$self->logger->debug("Request built for $providerID");
|
||||
}
|
||||
|
||||
# Keep message ID in memory to prevent replay
|
||||
my $samlID = $logout->request()->ID;
|
||||
unless ( $self->storeReplayProtection($samlID) ) {
|
||||
$self->lmLog( "Unable to store message ID", 'error' );
|
||||
$self->logger->error("Unable to store message ID");
|
||||
return ( 0, $method, undef );
|
||||
}
|
||||
|
||||
|
@ -2490,8 +2475,8 @@ sub sendLogoutRequestToProvider {
|
|||
# HTTP-REDIRECT
|
||||
if ( $method == Lasso::Constants::HTTP_METHOD_REDIRECT ) {
|
||||
|
||||
$self->lmLog( "Send HTTP-REDIRECT logout request to $providerID",
|
||||
'debug' );
|
||||
$self->logger->debug(
|
||||
"Send HTTP-REDIRECT logout request to $providerID");
|
||||
|
||||
# Redirect user to response URL
|
||||
my $slo_url = $logout->msg_url;
|
||||
|
@ -2507,8 +2492,7 @@ sub sendLogoutRequestToProvider {
|
|||
# HTTP-POST
|
||||
elsif ( $method == Lasso::Constants::HTTP_METHOD_POST ) {
|
||||
|
||||
$self->lmLog( "Build POST relay logout request to $providerID",
|
||||
'debug' );
|
||||
$self->logger->debug("Build POST relay logout request to $providerID");
|
||||
|
||||
# Create a new relay session
|
||||
my $relayInfos = $self->getSamlSession();
|
||||
|
@ -2544,8 +2528,8 @@ sub sendLogoutRequestToProvider {
|
|||
# Build a relay request, to be used after SLO process is done
|
||||
if ($relay) {
|
||||
|
||||
$self->lmLog( "Build SOAP relay logout request for $providerID",
|
||||
'debug' );
|
||||
$self->logger->debug(
|
||||
"Build SOAP relay logout request for $providerID");
|
||||
|
||||
# Create a new relay session
|
||||
my $relayInfos = $self->getSamlSession();
|
||||
|
@ -2580,7 +2564,7 @@ sub sendLogoutRequestToProvider {
|
|||
# Send the request directly
|
||||
else {
|
||||
|
||||
$self->lmLog( "Send SOAP logout request to $providerID", 'debug' );
|
||||
$self->logger->debug("Send SOAP logout request to $providerID");
|
||||
|
||||
my $slo_url = $logout->msg_url;
|
||||
my $slo_body = $logout->msg_body;
|
||||
|
@ -2589,7 +2573,7 @@ sub sendLogoutRequestToProvider {
|
|||
my $sp_response = $self->sendSOAPMessage( $slo_url, $slo_body );
|
||||
|
||||
unless ($sp_response) {
|
||||
$self->lmLog( "No logout response to SOAP request", 'error' );
|
||||
$self->logger->error("No logout response to SOAP request");
|
||||
return ( 0, $method, undef );
|
||||
}
|
||||
|
||||
|
@ -2598,7 +2582,7 @@ sub sendLogoutRequestToProvider {
|
|||
$self->processLogoutResponseMsg( $logout, $sp_response );
|
||||
|
||||
unless ($sp_result) {
|
||||
$self->lmLog( "Fail to process logout response", 'error' );
|
||||
$self->logger->error("Fail to process logout response");
|
||||
return ( 0, $method, undef );
|
||||
}
|
||||
|
||||
|
@ -2607,18 +2591,16 @@ sub sendLogoutRequestToProvider {
|
|||
|
||||
if ($sloStatusSessionInfos) {
|
||||
$sloStatusSessionInfos->update( { $confKey => 1 } );
|
||||
$self->lmLog(
|
||||
"Store SLO status for $confKey in session $relayState",
|
||||
'debug' );
|
||||
$self->logger->debug(
|
||||
"Store SLO status for $confKey in session $relayState");
|
||||
}
|
||||
else {
|
||||
$self->lmLog(
|
||||
"Unable to store SLO status for $confKey in session $relayState",
|
||||
'warn'
|
||||
$self->logger->warn(
|
||||
"Unable to store SLO status for $confKey in session $relayState"
|
||||
);
|
||||
}
|
||||
|
||||
$self->lmLog( "Logout response is valid", 'debug' );
|
||||
$self->logger->debug("Logout response is valid");
|
||||
|
||||
}
|
||||
|
||||
|
@ -2704,8 +2686,9 @@ sub authnContext2authnLevel {
|
|||
return $self->conf->{samlAuthnContextMapPassword}
|
||||
if ( $authnContext eq $self->getAuthnContext("password") );
|
||||
return $self->conf->{samlAuthnContextMapPasswordProtectedTransport}
|
||||
if ( $authnContext eq
|
||||
$self->getAuthnContext("password-protected-transport") );
|
||||
if (
|
||||
$authnContext eq $self->getAuthnContext("password-protected-transport")
|
||||
);
|
||||
return $self->conf->{samlAuthnContextMapKerberos}
|
||||
if ( $authnContext eq $self->getAuthnContext("kerberos") );
|
||||
return $self->conf->{samlAuthnContextMapTLSClient}
|
||||
|
@ -2748,11 +2731,11 @@ sub checkDestination {
|
|||
|
||||
# Ok if no Destination
|
||||
if ( $@ or !$destination ) {
|
||||
$self->lmLog( "No Destination in SAML message", 'debug' );
|
||||
$self->logger->debug("No Destination in SAML message");
|
||||
return 1;
|
||||
}
|
||||
|
||||
$self->lmLog( "Destination $destination found in SAML message", 'debug' );
|
||||
$self->logger->debug("Destination $destination found in SAML message");
|
||||
|
||||
# Retrieve full URL
|
||||
my $portal = $self->conf->{portal};
|
||||
|
@ -2762,11 +2745,11 @@ sub checkDestination {
|
|||
|
||||
# Compare Destination and URL
|
||||
if ( $destination eq $url ) {
|
||||
$self->lmLog( "Destination match URL $url", 'debug' );
|
||||
$self->logger->debug("Destination match URL $url");
|
||||
return 1;
|
||||
}
|
||||
|
||||
$self->lmLog( "Destination does not match URL $url", 'error' );
|
||||
$self->logger->error("Destination does not match URL $url");
|
||||
return 0;
|
||||
}
|
||||
|
||||
|
@ -2794,8 +2777,8 @@ sub getSamlSession {
|
|||
$self->userInfo("SAML session $id isn't yet available");
|
||||
}
|
||||
else {
|
||||
$self->lmLog( "Unable to create new SAML session", 'error' );
|
||||
$self->lmLog( $samlSession->error, 'error' );
|
||||
$self->logger->error("Unable to create new SAML session");
|
||||
$self->logger->error( $samlSession->error );
|
||||
}
|
||||
return undef;
|
||||
}
|
||||
|
@ -2849,9 +2832,9 @@ sub createAttributeValue {
|
|||
return unless defined $value;
|
||||
|
||||
# Decode UTF-8
|
||||
$self->lmLog( "Decode UTF8 value $value", 'debug' ) if $force_utf8;
|
||||
$self->logger->debug("Decode UTF8 value $value") if $force_utf8;
|
||||
$value = decode( "utf8", $value ) if $force_utf8;
|
||||
$self->lmLog( "Create attribute value $value", 'debug' );
|
||||
$self->logger->debug("Create attribute value $value");
|
||||
|
||||
# SAML2 attribute value
|
||||
eval { $saml2value = Lasso::Saml2AttributeValue->new(); };
|
||||
|
@ -2931,25 +2914,24 @@ sub deleteSAMLSecondarySessions {
|
|||
foreach my $saml_session (@saml_sessions_keys) {
|
||||
|
||||
# Get session
|
||||
$self->lmLog( "Retrieve SAML session $saml_session", 'debug' );
|
||||
$self->logger->debug("Retrieve SAML session $saml_session");
|
||||
|
||||
my $samlSessionInfo = $self->getSamlSession($saml_session);
|
||||
|
||||
# Delete session
|
||||
if ( $samlSessionInfo->remove ) {
|
||||
$self->lmLog( "SAML session $saml_session deleted", 'debug' );
|
||||
$self->logger->debug("SAML session $saml_session deleted");
|
||||
}
|
||||
else {
|
||||
$self->lmLog( "Unable to delete SAML session $saml_session",
|
||||
'error' );
|
||||
$self->lmLog( $samlSessionInfo->error, "error" );
|
||||
$self->logger->error(
|
||||
"Unable to delete SAML session $saml_session");
|
||||
$self->logger->error( $samlSessionInfo->error );
|
||||
$result = 0;
|
||||
}
|
||||
}
|
||||
}
|
||||
else {
|
||||
$self->lmLog( "No SAML session found for session $session_id ",
|
||||
'debug' );
|
||||
$self->logger->debug("No SAML session found for session $session_id ");
|
||||
}
|
||||
|
||||
return $result;
|
||||
|
@ -2992,7 +2974,7 @@ sub sendSLOSoapErrorResponse {
|
|||
"Could not set empty session in logout object" );
|
||||
}
|
||||
my $slo_body = $logout->msg_body;
|
||||
$self->lmLog( "SOAP response $slo_body", 'debug' );
|
||||
$self->logger->debug("SOAP response $slo_body");
|
||||
return [
|
||||
200,
|
||||
[
|
||||
|
|
|
@ -42,19 +42,19 @@ sub gen_password {
|
|||
# @return boolean result
|
||||
sub send_mail {
|
||||
my ( $self, $mail, $subject, $body, $html ) = @_;
|
||||
$self->lmLog( "send_mail called to send \"$subject\" to $mail", 'debug' );
|
||||
$self->logger->debug("send_mail called to send \"$subject\" to $mail");
|
||||
|
||||
# Encode the body with the given charset
|
||||
$body = encode( $self->charset, decode( 'utf-8', $body ) );
|
||||
$subject = encode( $self->charset, decode( 'utf-8', $subject ) );
|
||||
|
||||
# Debug messages
|
||||
$self->lmLog( "SMTP From " . $self->conf->{mailFrom}, 'debug' );
|
||||
$self->lmLog( "SMTP To " . $mail, 'debug' );
|
||||
$self->lmLog( "SMTP Subject " . $subject, 'debug' );
|
||||
$self->lmLog( "SMTP Body " . $body, 'debug' );
|
||||
$self->lmLog( "SMTP HTML flag " . ( $html ? "on" : "off" ), 'debug' );
|
||||
$self->lmLog( "SMTP Reply-To " . $self->conf->{mailReplyTo}, 'debug' )
|
||||
$self->logger->debug( "SMTP From " . $self->conf->{mailFrom} );
|
||||
$self->logger->debug( "SMTP To " . $mail );
|
||||
$self->logger->debug( "SMTP Subject " . $subject );
|
||||
$self->logger->debug( "SMTP Body " . $body );
|
||||
$self->logger->debug( "SMTP HTML flag " . ( $html ? "on" : "off" ) );
|
||||
$self->logger->debug( "SMTP Reply-To " . $self->conf->{mailReplyTo} )
|
||||
if $self->conf->{mailReplyTo};
|
||||
|
||||
# Encode the subject
|
||||
|
@ -130,7 +130,7 @@ sub send_mail {
|
|||
: $message->send();
|
||||
};
|
||||
if ($@) {
|
||||
$self->lmLog( "Send message failed: $@", 'error' );
|
||||
$self->logger->error("Send message failed: $@");
|
||||
return 0;
|
||||
}
|
||||
|
||||
|
|
|
@ -34,11 +34,8 @@ sub getUser {
|
|||
->uri('urn:Lemonldap/NG/Common/PSGI/SOAPService');
|
||||
my $r = $soap->getCookies( $req->{user}, $req->datas->{password} );
|
||||
if ( $r->fault ) {
|
||||
$self->lmLog(
|
||||
"Unable to query authentication service: "
|
||||
. $r->fault->{faultstring},
|
||||
'error'
|
||||
);
|
||||
$self->logger->error( "Unable to query authentication service: "
|
||||
. $r->fault->{faultstring} );
|
||||
return PE_ERROR;
|
||||
}
|
||||
my $res = $r->result();
|
||||
|
@ -52,7 +49,7 @@ sub getUser {
|
|||
unless ( $req->datas->{_remoteId} =
|
||||
$res->{cookies}->{ $self->conf->{remoteCookieName} } )
|
||||
{
|
||||
$self->lmLog( "No cookie named $self->{remoteCookieName}", 'error' );
|
||||
$self->logger->error("No cookie named $self->{remoteCookieName}");
|
||||
return PE_ERROR;
|
||||
}
|
||||
$req->datas->{_proxyQueryDone}++;
|
||||
|
@ -66,10 +63,8 @@ sub setSessionInfo {
|
|||
->uri('urn:Lemonldap/NG/Common/PSGI/SOAPService');
|
||||
my $r = $soap->getAttributes( $req->datas->{_remoteId} );
|
||||
if ( $r->fault ) {
|
||||
$self->lmLog(
|
||||
"Unable to query authentication service" . $r->fault->{faultstring},
|
||||
'error'
|
||||
);
|
||||
$self->logger->error( "Unable to query authentication service"
|
||||
. $r->fault->{faultstring} );
|
||||
}
|
||||
my $res = $r->result();
|
||||
if ( $res->{error} ) {
|
||||
|
|
|
@ -20,11 +20,9 @@ sub displayInit {
|
|||
[ $self->conf->{portalSkinRules}->{$skinRule}, $sub ];
|
||||
}
|
||||
else {
|
||||
$self->lmLog(
|
||||
$self->logger->error(
|
||||
qq(Skin rule "$skinRule" returns an error: )
|
||||
. HANDLER->tsv->{jail}->error,
|
||||
'error'
|
||||
);
|
||||
. HANDLER->tsv->{jail}->error );
|
||||
}
|
||||
}
|
||||
}
|
||||
|
@ -190,10 +188,7 @@ sub display {
|
|||
);
|
||||
}
|
||||
if ( $req->token ) {
|
||||
%templateParams = (
|
||||
%templateParams,
|
||||
TOKEN => $req->token,
|
||||
);
|
||||
%templateParams = ( %templateParams, TOKEN => $req->token, );
|
||||
}
|
||||
|
||||
# Show password form if password policy error
|
||||
|
@ -274,7 +269,7 @@ sub display {
|
|||
|
||||
my $displayType = $self->_authentication->getDisplayType($req);
|
||||
|
||||
$self->lmLog( "Display type $displayType ", 'debug' );
|
||||
$self->logger->debug("Display type $displayType ");
|
||||
|
||||
%templateParams = (
|
||||
%templateParams,
|
||||
|
@ -317,7 +312,7 @@ sub display {
|
|||
%templateParams = ( %templateParams, %$customParams );
|
||||
}
|
||||
|
||||
$self->lmLog( "Skin returned: $skinfile", 'debug' );
|
||||
$self->logger->debug("Skin returned: $skinfile");
|
||||
return ( $skinfile, \%templateParams );
|
||||
}
|
||||
|
||||
|
@ -381,7 +376,7 @@ sub getSkin {
|
|||
foreach my $rule ( @{ $self->conf->{skinRules} } ) {
|
||||
if ( $rule->[1]->( $req->sessionInfo ) ) {
|
||||
$skin = $rule->[0];
|
||||
$self->lmLog( "Skin $skin selected from skin rule", 'debug' );
|
||||
$self->logger->debug("Skin $skin selected from skin rule");
|
||||
}
|
||||
}
|
||||
|
||||
|
@ -389,7 +384,7 @@ sub getSkin {
|
|||
my $skinParam = $req->param('skin');
|
||||
if ( defined $skinParam && !$self->checkXSSAttack( 'skin', $skinParam ) ) {
|
||||
$skin = $skinParam;
|
||||
$self->lmLog( "Skin $skin selected from GET/POST parameter", 'debug' );
|
||||
$self->logger->debug("Skin $skin selected from GET/POST parameter");
|
||||
}
|
||||
|
||||
return $skin;
|
||||
|
@ -406,8 +401,8 @@ sub getCustomTemplateParameters {
|
|||
next unless ( $_ =~ /^tpl_(.+)$/ );
|
||||
my $tplParam = $1;
|
||||
my $tplValue = $conf->{$_};
|
||||
$self->lmLog( "Set custom template parameter $tplParam with $tplValue",
|
||||
'debug' );
|
||||
$self->logger->debug(
|
||||
"Set custom template parameter $tplParam with $tplValue");
|
||||
|
||||
$customTplParams->{$tplParam} = $tplValue;
|
||||
}
|
||||
|
@ -439,9 +434,9 @@ sub mkSessionArray {
|
|||
|
||||
foreach my $session (@$sessions) {
|
||||
$tmp .= "<tr>"
|
||||
.($displayUser ? "<td>$session->{user}</td>" : '')
|
||||
. qq'<td class="localeDate" val="$session->{_utime}"></td>'
|
||||
. "<td>$session->{ipAddr}</td>";
|
||||
. ( $displayUser ? "<td>$session->{user}</td>" : '' )
|
||||
. qq'<td class="localeDate" val="$session->{_utime}"></td>'
|
||||
. "<td>$session->{ipAddr}</td>";
|
||||
$tmp .= "<td>" . ( $session->{$_} || "" ) . "</td>"
|
||||
foreach ( keys %{ $self->conf->{sessionDataToRemember} } );
|
||||
$tmp .= "<td>$session->{error}</td>" if ($displayError);
|
||||
|
|
|
@ -93,7 +93,7 @@ sub init {
|
|||
# Purge loaded module list
|
||||
$self->loadedModules( {} );
|
||||
Lemonldap::NG::Handler::Main->onReload( $self, 'reloadConf' );
|
||||
return 0 unless ( $self->SUPER::init($self->localConfig) );
|
||||
return 0 unless ( $self->SUPER::init( $self->localConfig ) );
|
||||
return 0 if ( $self->error );
|
||||
|
||||
# Handle requests (other path may be declared in enabled plugins)
|
||||
|
@ -205,7 +205,7 @@ sub reloadConf {
|
|||
foreach ( split( /\s+/, $td ) ) {
|
||||
next unless ($td);
|
||||
s#^\.#([^/]+\.)?#;
|
||||
$self->lmLog( "Domain $_ added in trusted domains", 'debug' );
|
||||
$self->logger->debug("Domain $_ added in trusted domains");
|
||||
s/\./\\./g;
|
||||
|
||||
# This regexp is valid for the followings hosts:
|
||||
|
@ -219,14 +219,14 @@ sub reloadConf {
|
|||
}
|
||||
}
|
||||
foreach my $vhost ( keys %{ $self->conf->{locationRules} } ) {
|
||||
$self->lmLog( "Vhost $vhost added in trusted domains", 'debug' );
|
||||
$self->logger->debug("Vhost $vhost added in trusted domains");
|
||||
$re->add( quotemeta($vhost) );
|
||||
if ( my $tmp =
|
||||
$self->conf->{vhostOptions}->{$vhost}->{vhostAliases} )
|
||||
{
|
||||
foreach my $alias ( split /\s+/, $tmp ) {
|
||||
$self->lmLog( "Alias $alias added in trusted domains",
|
||||
'debug' );
|
||||
$self->logger->debug(
|
||||
"Alias $alias added in trusted domains");
|
||||
$re->add( quotemeta($alias) );
|
||||
}
|
||||
}
|
||||
|
@ -247,20 +247,16 @@ sub reloadConf {
|
|||
$self->{"_$type"}->{$name} = $sub;
|
||||
}
|
||||
else {
|
||||
$self->lmLog(
|
||||
"$type $name returns an error: "
|
||||
. HANDLER->tsv->{jail}->error,
|
||||
'error'
|
||||
);
|
||||
$self->logger->error( "$type $name returns an error: "
|
||||
. HANDLER->tsv->{jail}->error );
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
$self->{_jsRedirect} =
|
||||
HANDLER->buildSub( HANDLER->substitute( $self->conf->{jsRedirect} ) )
|
||||
or $self->lmLog(
|
||||
'jsRedirect returns an error: ' . HANDLER->tsv->{jail}->error,
|
||||
'error' );
|
||||
or $self->logger->error(
|
||||
'jsRedirect returns an error: ' . HANDLER->tsv->{jail}->error );
|
||||
|
||||
$self->menu( $self->loadPlugin('::Main::Menu') );
|
||||
$self->displayInit;
|
||||
|
@ -287,15 +283,15 @@ sub findEP {
|
|||
qw(beforeAuth betweenAuthAndDatas afterDatas forAuthUser beforeLogout))
|
||||
{
|
||||
if ( $obj->can($sub) ) {
|
||||
$self->lmLog( " Found $sub entry point:", 'debug' );
|
||||
$self->logger->debug(" Found $sub entry point:");
|
||||
if ( my $callback = $obj->$sub ) {
|
||||
push @{ $self->{$sub} }, sub { $obj->$callback( $_[0] ) };
|
||||
$self->lmLog( " -> $callback", 'debug' );
|
||||
$self->logger->debug(" -> $callback");
|
||||
}
|
||||
}
|
||||
}
|
||||
( $obj and $obj->init ) or return 0;
|
||||
$self->lmLog( "Plugin $plugin initializated", 'debug' );
|
||||
$self->logger->debug("Plugin $plugin initializated");
|
||||
return $obj;
|
||||
}
|
||||
|
||||
|
@ -307,12 +303,12 @@ sub loadModule {
|
|||
|
||||
eval "require $module";
|
||||
if ($@) {
|
||||
$self->lmLog( "$module load error: $@", 'error' );
|
||||
$self->logger->error("$module load error: $@");
|
||||
return 0;
|
||||
}
|
||||
eval {
|
||||
$obj = $module->new( { p => $self, conf => $conf } );
|
||||
$self->lmLog( "Module $module loaded", 'debug' );
|
||||
$self->logger->debug("Module $module loaded");
|
||||
};
|
||||
if ($@) {
|
||||
$self->error("Unable to build $module object: $@");
|
||||
|
@ -323,7 +319,7 @@ sub loadModule {
|
|||
}
|
||||
|
||||
sub fail {
|
||||
$_[0]->lmLog( $_[0]->error, 'error' );
|
||||
$_[0]->userLogger->error( $_[0]->error );
|
||||
$_[0]->addUnauthRoute( '*' => 'displayError' );
|
||||
$_[0]->addAuthRoute( '*' => 'displayError' );
|
||||
return 0;
|
||||
|
|
|
@ -37,11 +37,17 @@ sub init {
|
|||
if ( my $path = $self->conf->{"issuerDB${type}Path"} ) {
|
||||
$path =~ s/^.*?(\w+).*?$/$1/;
|
||||
$self->path($path);
|
||||
$self->addUnauthRoute( $path => { '*' => '_redirect' }, ['GET','POST'] );
|
||||
$self->addAuthRoute( $path => { '*' => "_forAuthUser" }, ['GET','POST'] );
|
||||
$self->addUnauthRoute(
|
||||
$path => { '*' => '_redirect' },
|
||||
[ 'GET', 'POST' ]
|
||||
);
|
||||
$self->addAuthRoute(
|
||||
$path => { '*' => "_forAuthUser" },
|
||||
[ 'GET', 'POST' ]
|
||||
);
|
||||
}
|
||||
else {
|
||||
$self->lmLog( "No path declared for issuer $type. Skipping", 'debug' );
|
||||
$self->logger->debug("No path declared for issuer $type. Skipping");
|
||||
}
|
||||
}
|
||||
|
||||
|
@ -51,13 +57,14 @@ sub init {
|
|||
|
||||
sub _redirect {
|
||||
my ( $self, $req, @path ) = @_;
|
||||
$self->lmLog( 'Processing _redirect', 'debug' );
|
||||
$self->logger->debug('Processing _redirect');
|
||||
my $prms = $req->parameters;
|
||||
foreach my $k ( keys %$prms ) {
|
||||
$self->p->setHiddenFormValue( $req, $k, $prms->{$k}, '', 0 );
|
||||
}
|
||||
$self->p->setHiddenFormValue( $req, 'issuerMethod', $req->method, '', 0 );
|
||||
$self->p->setHiddenFormValue( $req, 'issuerQuery', $req->query_string, '', 0 );
|
||||
$self->p->setHiddenFormValue( $req, 'issuerQuery', $req->query_string, '',
|
||||
0 );
|
||||
$req->{urldc} =
|
||||
$self->conf->{portal}
|
||||
. $req->path
|
||||
|
@ -83,7 +90,7 @@ sub _redirect {
|
|||
# Case 3: authentified user, launch
|
||||
sub _forAuthUser {
|
||||
my ( $self, $req, @path ) = @_;
|
||||
$self->lmLog( 'Processing _forAuthUser', 'debug' );
|
||||
$self->logger->debug('Processing _forAuthUser');
|
||||
return $self->p->do(
|
||||
$req,
|
||||
[
|
||||
|
|
|
@ -18,8 +18,7 @@ has menuModules => (
|
|||
my @res;
|
||||
foreach (qw(Appslist ChangePassword LoginHistory Logout)) {
|
||||
my $cond = $conf->{"portalDisplay$_"} // 1;
|
||||
$_[0]
|
||||
->p->lmLog( "Evaluate condition $cond for module $_", 'debug' );
|
||||
$_[0]->p->logger->debug("Evaluate condition $cond for module $_");
|
||||
my $tmp =
|
||||
$_[0]->{p}->HANDLER->buildSub($cond);
|
||||
push @res, [ $_, $tmp ] if ($tmp);
|
||||
|
@ -31,7 +30,8 @@ has menuModules => (
|
|||
has imgPath => (
|
||||
is => 'rw',
|
||||
builder => sub {
|
||||
return $_[0]->{conf}->{impgPath} || $_[0]->{conf}->{staticPrefix} . '/logos';
|
||||
return $_[0]->{conf}->{impgPath}
|
||||
|| $_[0]->{conf}->{staticPrefix} . '/logos';
|
||||
}
|
||||
);
|
||||
|
||||
|
@ -104,7 +104,7 @@ sub displayModules {
|
|||
# Foreach module, eval condition
|
||||
# Store module in result if condition is valid
|
||||
foreach my $module ( @{ $self->menuModules } ) {
|
||||
$self->lmLog( "Check if $module->[0] has to be displayed", 'debug' );
|
||||
$self->logger->debug("Check if $module->[0] has to be displayed");
|
||||
|
||||
if ( $module->[1]->() ) {
|
||||
my $moduleHash = { $module->[0] => 1 };
|
||||
|
|
|
@ -33,7 +33,7 @@ sub enabledPlugins {
|
|||
# Search for Issuer* modules enabled
|
||||
foreach my $key (qw(SAML OpenID CAS OpenIDConnect Get)) {
|
||||
if ( $self->conf->{"issuerDB${key}Activation"} ) {
|
||||
$self->lmLog( "Issuer${key} enabled", 'debug' );
|
||||
$self->logger->debug("Issuer${key} enabled");
|
||||
push @res, "::Issuer::$key";
|
||||
}
|
||||
}
|
||||
|
@ -62,8 +62,8 @@ sub enabledPlugins {
|
|||
# Check if custom plugins are required
|
||||
# TODO: change this name
|
||||
if ( $self->conf->{customPlugins} ) {
|
||||
$self->lmLog( 'Custom plugins: ' . $self->conf->{customPlugins},
|
||||
'debug' );
|
||||
$self->logger->debug(
|
||||
'Custom plugins: ' . $self->conf->{customPlugins} );
|
||||
push @res, grep ( /\w/, split( /,\s*/, $self->conf->{customPlugins} ) );
|
||||
}
|
||||
return @res;
|
||||
|
|
|
@ -21,15 +21,15 @@ sub process {
|
|||
my $err = PE_OK;
|
||||
while ( my $sub = shift @{ $req->steps } ) {
|
||||
if ( ref $sub ) {
|
||||
$self->lmLog( "Processing code ref", 'debug' );
|
||||
$self->logger->debug("Processing code ref");
|
||||
last if ( $err = $sub->($req) );
|
||||
}
|
||||
else {
|
||||
$self->lmLog( "Processing $sub", 'debug' );
|
||||
$self->logger->debug("Processing $sub");
|
||||
last if ( $err = $self->$sub($req) );
|
||||
}
|
||||
}
|
||||
$self->lmLog( "Returned error: $err", 'debug' ) if ($err);
|
||||
$self->logger->debug("Returned error: $err") if ($err);
|
||||
return $err;
|
||||
}
|
||||
|
||||
|
@ -64,11 +64,11 @@ sub controlUrl {
|
|||
if ( $self->conf->{cipher} and $2 ne "1" ) {
|
||||
my $time = time() - $self->conf->{cipher}->decrypt($2);
|
||||
if ( $time < 600 ) {
|
||||
$self->lmLog( "Confirm parameter accepted $c", 'debug' );
|
||||
$self->logger->debug("Confirm parameter accepted $c");
|
||||
$req->set_param( 'confirm', $c );
|
||||
}
|
||||
else {
|
||||
$self->lmLog( 'Confirmation to old, refused', 'notice' );
|
||||
$self->logger->notice('Confirmation to old, refused');
|
||||
$req->set_param( 'confirm', 0 );
|
||||
}
|
||||
}
|
||||
|
@ -82,9 +82,8 @@ sub controlUrl {
|
|||
}
|
||||
else {
|
||||
if ( $url =~ m#[^A-Za-z0-9\+/=]# ) {
|
||||
$self->lmLog(
|
||||
"Value must be in BASE64 (param: url | value: $url)",
|
||||
"warn" );
|
||||
$self->userLogger->error(
|
||||
"Value must be in BASE64 (param: url | value: $url)");
|
||||
return PE_BADURL;
|
||||
}
|
||||
$req->{urldc} = decode_base64($url);
|
||||
|
@ -112,12 +111,10 @@ sub controlUrl {
|
|||
|
||||
# Non protected hosts
|
||||
if ( $tmp and !$self->isTrustedUrl($tmp) ) {
|
||||
$self->lmLog(
|
||||
"URL contains a non protected host (param: "
|
||||
$self->userLogger->error(
|
||||
"URL contains a non protected host (param: "
|
||||
. ( $req->param('logout') ? 'HTTP Referer' : 'urldc' )
|
||||
. " | value: $tmp)",
|
||||
"warn"
|
||||
);
|
||||
. " | value: $tmp)" );
|
||||
delete $req->{urldc};
|
||||
return PE_BADURL;
|
||||
}
|
||||
|
@ -147,16 +144,16 @@ sub deleteSession {
|
|||
my $apacheSession = $self->getApacheSession( $req->id );
|
||||
my $id = $req->id;
|
||||
unless ($apacheSession) {
|
||||
$self->lmLog( "Session $id already deleted", 'debug' );
|
||||
$self->logger->debug("Session $id already deleted");
|
||||
return PE_OK;
|
||||
}
|
||||
unless ( $self->_deleteSession( $req, $apacheSession ) ) {
|
||||
$self->lmLog( "Unable to delete session $id", 'error' );
|
||||
$self->lmLog( $apacheSession->error, 'error' );
|
||||
$self->logger->error("Unable to delete session $id");
|
||||
$self->logger->error( $apacheSession->error );
|
||||
return PE_ERROR;
|
||||
}
|
||||
else {
|
||||
$self->lmLog( "Session $id deleted from global storage", 'debug' );
|
||||
$self->logger->debug("Session $id deleted from global storage");
|
||||
}
|
||||
|
||||
# TODO
|
||||
|
@ -164,7 +161,7 @@ sub deleteSession {
|
|||
if ( $req->datas->{logoutServices} and %{ $req->datas->{logoutServices} } )
|
||||
{
|
||||
|
||||
$self->lmLog( "Create iFrames to forward logout to services", 'debug' );
|
||||
$self->logger->debug("Create iFrames to forward logout to services");
|
||||
|
||||
$req->info('<h3 trmsg="logoutFromOtherApp"></h3>');
|
||||
|
||||
|
@ -173,11 +170,8 @@ sub deleteSession {
|
|||
my $logoutServiceUrl =
|
||||
$req->datas->{logoutServices}->{$logoutServiceName};
|
||||
|
||||
$self->lmLog(
|
||||
"Find logout service $logoutServiceName ($logoutServiceUrl)",
|
||||
|
||||
'debug'
|
||||
);
|
||||
$self->logger->debug(
|
||||
"Find logout service $logoutServiceName ($logoutServiceUrl)");
|
||||
|
||||
my $iframe =
|
||||
qq'<iframe src="$logoutServiceUrl" alt="$logoutServiceName"'
|
||||
|
@ -190,8 +184,7 @@ sub deleteSession {
|
|||
|
||||
# Redirect on logout page if no other target defined
|
||||
if ( !$req->urldc and !$req->postUrl ) {
|
||||
$self->lmLog( 'No other target defined, redirect on logout',
|
||||
'debug' );
|
||||
$self->logger->debug('No other target defined, redirect on logout');
|
||||
$req->urldc( $req->script_name . "?logout=1" );
|
||||
}
|
||||
}
|
||||
|
@ -231,8 +224,8 @@ sub checkXSSAttack {
|
|||
# Test value
|
||||
$value =~ s/\%25/\%/g;
|
||||
if ( $value =~ m/(?:\0|<|'|"|`|\%(?:00|3C|22|27|2C))/ ) {
|
||||
$self->lmLog( "XSS attack detected (param: $name | value: $value)",
|
||||
"warn" );
|
||||
$self->userLogger->error(
|
||||
"XSS attack detected (param: $name | value: $value)");
|
||||
return $self->conf->{checkXSS};
|
||||
}
|
||||
|
||||
|
@ -246,9 +239,8 @@ sub extractFormInfo {
|
|||
my ( $self, $req ) = @_;
|
||||
my $ret = $self->_authentication->extractFormInfo($req);
|
||||
if ( $ret == PE_OK and not( $req->user or $req->continue ) ) {
|
||||
$self->lmLog(
|
||||
'Authentication module succeed but has not set $req->user',
|
||||
'error' );
|
||||
$self->logger->error(
|
||||
'Authentication module succeed but has not set $req->user');
|
||||
return PE_ERROR;
|
||||
}
|
||||
elsif ( $ret == PE_FIRSTACCESS
|
||||
|
@ -287,8 +279,7 @@ sub setAuthSessionInfo {
|
|||
if ( $ret == PE_OK
|
||||
and not( defined $req->sessionInfo->{authenticationLevel} ) )
|
||||
{
|
||||
$self->lmLog( 'Authentication level is not set by auth module',
|
||||
'error' );
|
||||
$self->logger->error('Authentication level is not set by auth module');
|
||||
}
|
||||
return $ret;
|
||||
}
|
||||
|
@ -366,12 +357,12 @@ sub setPersistentSessionInfo {
|
|||
my $persistentSession = $self->getPersistentSession($key);
|
||||
|
||||
if ($persistentSession) {
|
||||
$self->lmLog( "Persistent session found for $key", 'debug' );
|
||||
$self->logger->debug("Persistent session found for $key");
|
||||
foreach my $k ( keys %{ $persistentSession->data } ) {
|
||||
|
||||
# Do not restore some parameters
|
||||
next if $k =~ /^_(?:utime|session_(?:u?id|kind))$/;
|
||||
$self->lmLog( "Restore persistent parameter $k", 'debug' );
|
||||
$self->logger->debug("Restore persistent parameter $k");
|
||||
$req->{sessionInfo}->{$k} = $persistentSession->data->{$k};
|
||||
}
|
||||
}
|
||||
|
@ -438,7 +429,7 @@ sub store {
|
|||
{
|
||||
$displayValue = '****';
|
||||
}
|
||||
$self->lmLog( "Store $displayValue in session key $k", 'debug' );
|
||||
$self->logger->debug("Store $displayValue in session key $k");
|
||||
$self->_dump($displayValue) if ref($displayValue);
|
||||
$infos->{$k} = $req->{sessionInfo}->{$k};
|
||||
}
|
||||
|
|
|
@ -128,7 +128,7 @@ sub do {
|
|||
return $req->response;
|
||||
}
|
||||
if ( !$self->conf->{noAjaxHook} and $req->wantJSON ) {
|
||||
$self->lmLog( 'Processing to JSON response', 'debug' );
|
||||
$self->logger->debug('Processing to JSON response');
|
||||
if ( $err > 0 and !$req->id ) {
|
||||
return [
|
||||
401,
|
||||
|
@ -170,11 +170,11 @@ sub do {
|
|||
)
|
||||
{
|
||||
my ( $tpl, $prms ) = $self->display($req);
|
||||
$self->lmLog( "Calling sendHtml with template $tpl", 'debug' );
|
||||
$self->logger->debug("Calling sendHtml with template $tpl");
|
||||
return $self->sendHtml( $req, $tpl, params => $prms );
|
||||
}
|
||||
else {
|
||||
$self->lmLog( 'Calling autoredirect', 'debug' );
|
||||
$self->logger->debug('Calling autoredirect');
|
||||
return $self->autoRedirect($req);
|
||||
}
|
||||
}
|
||||
|
@ -224,12 +224,12 @@ sub autoRedirect {
|
|||
$req->datas->{redirectFormMethod} = "get";
|
||||
}
|
||||
else {
|
||||
return [ 302, [ Location => $req->{urldc}, @{ $req->respHeaders } ],
|
||||
[] ];
|
||||
return [ 302,
|
||||
[ Location => $req->{urldc}, @{ $req->respHeaders } ], [] ];
|
||||
}
|
||||
}
|
||||
my ( $tpl, $prms ) = $self->display($req);
|
||||
$self->lmLog( "Calling sendHtml with template $tpl", 'debug' );
|
||||
$self->logger->debug("Calling sendHtml with template $tpl");
|
||||
return $self->sendHtml( $req, $tpl, params => $prms );
|
||||
}
|
||||
|
||||
|
@ -240,10 +240,10 @@ sub getApacheSession {
|
|||
$args{kind} ||= "SSO";
|
||||
|
||||
if ($id) {
|
||||
$self->lmLog( "Try to get $args{kind} session $id", 'debug' );
|
||||
$self->logger->debug("Try to get $args{kind} session $id");
|
||||
}
|
||||
else {
|
||||
$self->lmLog( "Try to get a new $args{kind} session", 'debug' );
|
||||
$self->logger->debug("Try to get a new $args{kind} session");
|
||||
}
|
||||
|
||||
my $as = Lemonldap::NG::Common::Session->new(
|
||||
|
@ -265,7 +265,7 @@ sub getApacheSession {
|
|||
}
|
||||
|
||||
if ( $id and !$args{force} and !$as->data ) {
|
||||
$self->lmLog( "Session $args{kind} $id not found", 'debug' );
|
||||
$self->logger->debug("Session $args{kind} $id not found");
|
||||
return;
|
||||
}
|
||||
|
||||
|
@ -282,11 +282,11 @@ sub getApacheSession {
|
|||
)
|
||||
)
|
||||
{
|
||||
$self->lmLog( "Session $args{kind} $id expired", 'debug' );
|
||||
$self->logger->debug("Session $args{kind} $id expired");
|
||||
return;
|
||||
}
|
||||
|
||||
$self->lmLog( "Return $args{kind} session " . $as->id, 'debug' );
|
||||
$self->logger->debug( "Return $args{kind} session " . $as->id );
|
||||
|
||||
return $as;
|
||||
}
|
||||
|
@ -311,7 +311,7 @@ sub getPersistentSession {
|
|||
);
|
||||
|
||||
if ( $ps->error ) {
|
||||
$self->lmLog( $ps->error, 'debug' );
|
||||
$self->logger->debug( $ps->error );
|
||||
}
|
||||
|
||||
# Set _session_uid if not already present
|
||||
|
@ -346,21 +346,19 @@ sub updatePersistentSession {
|
|||
$uid ||= $req->{sessionInfo}->{ $self->conf->{whatToTrace} }
|
||||
|| $req->userData->{ $self->conf->{whatToTrace} };
|
||||
unless ($uid) {
|
||||
$self->lmLog( 'No uid found, skipping updatePersistentSession',
|
||||
'debug' );
|
||||
$self->logger->debug('No uid found, skipping updatePersistentSession');
|
||||
return ();
|
||||
}
|
||||
$self->lmLog( "Update $uid persistent session", 'debug' );
|
||||
$self->logger->debug("Update $uid persistent session");
|
||||
|
||||
my $persistentSession = $self->getPersistentSession($uid);
|
||||
|
||||
$persistentSession->update($infos);
|
||||
|
||||
if ( $persistentSession->error ) {
|
||||
$self->lmLog(
|
||||
"Cannot update persistent session " . $self->_md5hash($uid),
|
||||
'error' );
|
||||
$self->lmLog( $persistentSession->error, 'error' );
|
||||
$self->logger->error(
|
||||
"Cannot update persistent session " . $self->_md5hash($uid) );
|
||||
$self->logger->error( $persistentSession->error );
|
||||
}
|
||||
}
|
||||
|
||||
|
@ -387,8 +385,8 @@ sub updateSession {
|
|||
## sessionInfo updated if $id defined : quite strange !!
|
||||
## See http://jira.ow2.org/browse/LEMONLDAP-430
|
||||
foreach ( keys %$infos ) {
|
||||
$self->lmLog( "Update sessionInfo $_ with " . $infos->{$_},
|
||||
'debug' );
|
||||
$self->logger->debug(
|
||||
"Update sessionInfo $_ with " . $infos->{$_} );
|
||||
$req->{sessionInfo}->{$_} = $infos->{$_};
|
||||
}
|
||||
|
||||
|
@ -402,8 +400,8 @@ sub updateSession {
|
|||
$apacheSession->update($infos);
|
||||
|
||||
if ( $apacheSession->error ) {
|
||||
$self->lmLog( "Cannot update session $id", 'error' );
|
||||
$self->lmLog( $apacheSession->error, 'error' );
|
||||
$self->logger->error("Cannot update session $id");
|
||||
$self->logger->error( $apacheSession->error );
|
||||
}
|
||||
}
|
||||
}
|
||||
|
@ -427,9 +425,9 @@ sub _deleteSession {
|
|||
if ( my $session2 = $self->getApacheSession($id2) ) {
|
||||
$session2->remove;
|
||||
if ( $session2->error ) {
|
||||
$self->lmLog( "Unable to remove linked session $id2",
|
||||
'debug' );
|
||||
$self->lmLog( $session2->error, 'debug' );
|
||||
$self->logger->debug(
|
||||
"Unable to remove linked session $id2");
|
||||
$self->logger->debug( $session2->error );
|
||||
}
|
||||
}
|
||||
}
|
||||
|
@ -531,7 +529,7 @@ sub setHiddenFormValue {
|
|||
$key = $prefix . $key;
|
||||
$val =~ s/\+/%2B/g;
|
||||
$req->{portalHiddenFormValues}->{$key} = $val;
|
||||
$self->lmLog( "Store $val in hidden key $key", 'debug' );
|
||||
$self->logger->debug("Store $val in hidden key $key");
|
||||
}
|
||||
}
|
||||
|
||||
|
@ -554,7 +552,7 @@ sub getHiddenFormValue {
|
|||
if ( my $val = $req->param($key) ) {
|
||||
$val = decode_base64($val) if $base64;
|
||||
return $val;
|
||||
$self->lmLog( "Hidden value $val found for key $key", 'debug' );
|
||||
$self->logger->debug("Hidden value $val found for key $key");
|
||||
}
|
||||
|
||||
# No value found
|
||||
|
@ -571,12 +569,12 @@ sub clearHiddenFormValue {
|
|||
|
||||
unless ( defined $keys ) {
|
||||
delete $req->{portalHiddenFormValues};
|
||||
$self->lmLog( "Delete all hidden values", 'debug' );
|
||||
$self->logger->debug("Delete all hidden values");
|
||||
}
|
||||
else {
|
||||
foreach (@$keys) {
|
||||
delete $req->{portalHiddenFormValues}->{$_};
|
||||
$self->lmLog( "Delete hidden value for key $_", 'debug' );
|
||||
$self->logger->debug("Delete hidden value for key $_");
|
||||
}
|
||||
}
|
||||
|
||||
|
@ -625,7 +623,7 @@ sub _dump {
|
|||
my ( $self, $variable ) = @_;
|
||||
require Data::Dumper;
|
||||
$Data::Dumper::Indent = 0;
|
||||
$self->lmLog( "Dump: " . Data::Dumper::Dumper($variable), 'debug' );
|
||||
$self->logger->debug( "Dump: " . Data::Dumper::Dumper($variable) );
|
||||
return;
|
||||
}
|
||||
|
||||
|
|
|
@ -1,553 +0,0 @@
|
|||
##@file
|
||||
# menu for lemonldap::ng portal
|
||||
|
||||
##@class
|
||||
# menu class for lemonldap::ng portal
|
||||
package Lemonldap::NG::Portal::Menu;
|
||||
|
||||
use strict;
|
||||
use utf8;
|
||||
use warnings;
|
||||
use Lemonldap::NG::Portal::Simple;
|
||||
use Lemonldap::NG::Portal::_LibAccess;
|
||||
use base qw(Lemonldap::NG::Portal::_LibAccess);
|
||||
use Clone qw(clone);
|
||||
|
||||
our $VERSION = '2.0.0';
|
||||
our $catlevel = 0;
|
||||
|
||||
## @method void menuInit()
|
||||
# Prepare menu template elements
|
||||
# @return nothing
|
||||
sub menuInit {
|
||||
my $self = shift;
|
||||
$self->{apps}->{imgpath} ||= '/apps/';
|
||||
|
||||
# Modules to display
|
||||
$self->{menuModules} ||= "Appslist ChangePassword LoginHistory Logout";
|
||||
$self->{menuDisplayModules} = $self->displayModules();
|
||||
|
||||
# Extract password from POST data
|
||||
$self->{oldpassword} = $self->param('oldpassword');
|
||||
$self->{newpassword} = $self->param('newpassword');
|
||||
$self->{confirmpassword} = $self->param('confirmpassword');
|
||||
$self->{dn} = $self->{sessionInfo}->{dn};
|
||||
$self->{user} = $self->{sessionInfo}->{_user};
|
||||
|
||||
# Try to change password
|
||||
$self->{menuError} =
|
||||
$self->_subProcess(
|
||||
qw(passwordDBInit modifyPassword passwordDBFinish sendPasswordMail))
|
||||
unless $self->{ignorePasswordChange};
|
||||
|
||||
# Default menu error code
|
||||
$self->{menuError} = PE_PASSWORD_OK if ( $self->{passwordWasChanged} );
|
||||
$self->{menuError} ||= $self->{error};
|
||||
|
||||
# Tab to display
|
||||
# Get the tab URL parameter
|
||||
$self->{menuDisplayTab} = $self->param("tab") || "none";
|
||||
|
||||
# Default to appslist if invalid tab URL parameter
|
||||
$self->{menuDisplayTab} = "appslist"
|
||||
unless ( $self->{menuDisplayTab} =~ /^(password|logout|loginHistory)$/ );
|
||||
|
||||
# Force password tab in case of password error
|
||||
$self->{menuDisplayTab} = "password"
|
||||
if (
|
||||
(
|
||||
scalar(
|
||||
grep { $_ == $self->{menuError} } (
|
||||
25, #PE_PP_CHANGE_AFTER_RESET
|
||||
26, #PE_PP_PASSWORD_MOD_NOT_ALLOWED
|
||||
27, #PE_PP_MUST_SUPPLY_OLD_PASSWORD
|
||||
28, #PE_PP_INSUFFICIENT_PASSWORD_QUALITY
|
||||
29, #PE_PP_PASSWORD_TOO_SHORT
|
||||
30, #PE_PP_PASSWORD_TOO_YOUNG
|
||||
31, #PE_PP_PASSWORD_IN_HISTORY
|
||||
32, #PE_PP_GRACE
|
||||
33, #PE_PP_EXP_WARNING
|
||||
34, #PE_PASSWORD_MISMATCH
|
||||
39, #PE_BADOLDPASSWORD
|
||||
74, #PE_MUST_SUPPLY_OLD_PASSWORD
|
||||
)
|
||||
)
|
||||
)
|
||||
);
|
||||
|
||||
# Application list for old templates
|
||||
if ( $self->{useOldMenuItems} ) {
|
||||
$self->{menuAppslistMenu} = $self->appslistMenu();
|
||||
$self->{menuAppslistDesc} = $self->appslistDescription();
|
||||
}
|
||||
|
||||
return;
|
||||
}
|
||||
|
||||
## @method arrayref displayModules()
|
||||
# List modules that can be displayed in Menu
|
||||
# @return modules list
|
||||
sub displayModules {
|
||||
my $self = shift;
|
||||
my $displayModules = [];
|
||||
|
||||
# Modules list
|
||||
my @modules = split( /\s/, $self->{menuModules} );
|
||||
|
||||
# Foreach module, eval condition
|
||||
# Store module in result if condition is valid
|
||||
foreach my $module (@modules) {
|
||||
my $cond = $self->{ 'portalDisplay' . $module };
|
||||
$cond = 1 unless defined $cond;
|
||||
|
||||
$self->lmLog( "Evaluate condition $cond for module $module", 'debug' );
|
||||
|
||||
if ( $self->safe->reval($cond) ) {
|
||||
my $moduleHash = { $module => 1 };
|
||||
$moduleHash->{'APPSLIST_LOOP'} = $self->appslist()
|
||||
if ( $module eq 'Appslist' );
|
||||
if ( $module eq 'LoginHistory' ) {
|
||||
$moduleHash->{'SUCCESS_LOGIN'} =
|
||||
$self->mkSessionArray(
|
||||
$self->{sessionInfo}->{loginHistory}->{successLogin},
|
||||
"", 0, 0 );
|
||||
$moduleHash->{'FAILED_LOGIN'} =
|
||||
$self->mkSessionArray(
|
||||
$self->{sessionInfo}->{loginHistory}->{failedLogin},
|
||||
"", 0, 1 );
|
||||
}
|
||||
push @$displayModules, $moduleHash;
|
||||
}
|
||||
}
|
||||
|
||||
return $displayModules;
|
||||
}
|
||||
|
||||
## @method arrayref appslist()
|
||||
# Returns categories and applications list as HTML::Template loop
|
||||
# @return categories and applications list
|
||||
sub appslist {
|
||||
my ($self) = @_;
|
||||
my $appslist = [];
|
||||
|
||||
return $appslist unless defined $self->{applicationList};
|
||||
|
||||
# Reset level
|
||||
$catlevel = 0;
|
||||
|
||||
my $applicationList = clone( $self->{applicationList} );
|
||||
my $filteredList = $self->_filter($applicationList);
|
||||
push @$appslist, $self->_buildCategoryHash( "", $filteredList, $catlevel );
|
||||
|
||||
# We must return an ARRAY ref
|
||||
return ( ref $appslist->[0]->{categories} eq "ARRAY" )
|
||||
? $appslist->[0]->{categories}
|
||||
: [];
|
||||
}
|
||||
|
||||
## @method private hashref _buildCategoryHash(string catname,hashref cathash, int catlevel)
|
||||
# Build hash for a category
|
||||
# @param catname Category name
|
||||
# @param cathash Hash of category elements
|
||||
# @param catlevel Category level
|
||||
# @return Category Hash
|
||||
sub _buildCategoryHash {
|
||||
my ( $self, $catid, $cathash, $catlevel ) = @_;
|
||||
my $catname = $cathash->{catname} || $catid;
|
||||
utf8::decode($catname);
|
||||
my $applications;
|
||||
my $categories;
|
||||
|
||||
# Extract applications from hash
|
||||
my $apphash;
|
||||
foreach my $catkey ( sort keys %$cathash ) {
|
||||
next if $catkey =~ /(type|options|catname)/;
|
||||
if ( $cathash->{$catkey}->{type} eq "application" ) {
|
||||
$apphash->{$catkey} = $cathash->{$catkey};
|
||||
}
|
||||
}
|
||||
|
||||
# Display applications first
|
||||
if ( scalar keys %$apphash > 0 ) {
|
||||
foreach my $appkey ( sort keys %$apphash ) {
|
||||
push @$applications,
|
||||
$self->_buildApplicationHash( $appkey, $apphash->{$appkey} );
|
||||
}
|
||||
}
|
||||
|
||||
# Display subcategories
|
||||
foreach my $catkey ( sort keys %$cathash ) {
|
||||
next if $catkey =~ /(type|options|catname)/;
|
||||
if ( $cathash->{$catkey}->{type} eq "category" ) {
|
||||
push @$categories,
|
||||
$self->_buildCategoryHash( $catkey, $cathash->{$catkey},
|
||||
$catlevel + 1 );
|
||||
}
|
||||
}
|
||||
|
||||
my $categoryHash = {
|
||||
category => 1,
|
||||
catname => $catname,
|
||||
catid => $catid,
|
||||
catlevel => $catlevel
|
||||
};
|
||||
$categoryHash->{applications} = $applications if $applications;
|
||||
$categoryHash->{categories} = $categories if $categories;
|
||||
return $categoryHash;
|
||||
}
|
||||
|
||||
## @method private hashref _buildApplicationHash(string appid, hashref apphash)
|
||||
# Build hash for an application
|
||||
# @param $appid Application ID
|
||||
# @param $apphash Hash of application elements
|
||||
# @return Application Hash
|
||||
sub _buildApplicationHash {
|
||||
my ( $self, $appid, $apphash ) = @_;
|
||||
my $applications;
|
||||
|
||||
# Get application items
|
||||
my $appname = $apphash->{options}->{name} || $appid;
|
||||
my $appuri = $apphash->{options}->{uri} || "";
|
||||
my $appdesc = $apphash->{options}->{description};
|
||||
my $applogo = $apphash->{options}->{logo};
|
||||
utf8::decode($appname);
|
||||
utf8::decode($appdesc) if $appdesc;
|
||||
|
||||
# Detect sub applications
|
||||
my $subapphash;
|
||||
foreach my $key ( sort keys %$apphash ) {
|
||||
next if $key =~ /(type|options|catname)/;
|
||||
if ( $apphash->{$key}->{type} eq "application" ) {
|
||||
$subapphash->{$key} = $apphash->{$key};
|
||||
}
|
||||
}
|
||||
|
||||
# Display sub applications
|
||||
if ( scalar keys %$subapphash > 0 ) {
|
||||
foreach my $appkey ( sort keys %$subapphash ) {
|
||||
push @$applications,
|
||||
$self->_buildApplicationHash( $appkey, $subapphash->{$appkey} );
|
||||
}
|
||||
}
|
||||
|
||||
my $applicationHash = {
|
||||
application => 1,
|
||||
appname => $appname,
|
||||
appuri => $appuri,
|
||||
appdesc => $appdesc,
|
||||
applogo => $applogo,
|
||||
appid => $appid,
|
||||
};
|
||||
$applicationHash->{applications} = $applications if $applications;
|
||||
return $applicationHash;
|
||||
}
|
||||
|
||||
## @method string appslistMenu()
|
||||
# Returns HTML code for application list menu.
|
||||
# @return HTML string
|
||||
sub appslistMenu {
|
||||
my $self = shift;
|
||||
|
||||
# We no more use XML file for menu configuration
|
||||
unless ( defined $self->{applicationList} ) {
|
||||
$self->abort(
|
||||
"XML menu configuration is deprecated",
|
||||
"Please use lmMigrateConfFiles2ini to migrate your menu configuration"
|
||||
);
|
||||
}
|
||||
|
||||
# Use configuration to get menu parameters
|
||||
my $applicationList = clone( $self->{applicationList} );
|
||||
my $filteredList = $self->_filter($applicationList);
|
||||
|
||||
return $self->_displayConfCategory( "", $filteredList, $catlevel );
|
||||
}
|
||||
|
||||
## @method string appslistDescription()
|
||||
# Returns HTML code for application description.
|
||||
# @return HTML string
|
||||
sub appslistDescription {
|
||||
my $self = shift;
|
||||
|
||||
# We no more use XML file for menu configuration
|
||||
unless ( defined $self->{applicationList} ) {
|
||||
$self->lmLog(
|
||||
"XML menu configuration is deprecated. Please use lmMigrateConfFiles2ini to migrate your menu configuration",
|
||||
'error'
|
||||
);
|
||||
return " ";
|
||||
}
|
||||
|
||||
# Use configuration to get menu parameters
|
||||
my $applicationList = clone( $self->{applicationList} );
|
||||
return $self->_displayConfDescription( "", $applicationList );
|
||||
}
|
||||
|
||||
## @method string _displayConfCategory(string catname, hashref cathash, int catlevel)
|
||||
# Creates and returns HTML code for a category.
|
||||
# @param catname Category name
|
||||
# @param cathash Hash of category elements
|
||||
# @param catlevel Category level
|
||||
# @return HTML string
|
||||
sub _displayConfCategory {
|
||||
my ( $self, $catname, $cathash, $catlevel ) = @_;
|
||||
my $html;
|
||||
my $key;
|
||||
|
||||
# Init HTML list
|
||||
$html .= "<ul class=\"category cat-level-$catlevel\">\n";
|
||||
$html .= "<li class=\"catname\">\n";
|
||||
$html .= "<span>$catname</span>\n" if $catname;
|
||||
|
||||
# Increase category level
|
||||
$catlevel++;
|
||||
|
||||
# Extract applications from hash
|
||||
my $apphash;
|
||||
foreach $key ( keys %$cathash ) {
|
||||
next if $key =~ /(type|options|catname)/;
|
||||
if ( $cathash->{$key}->{type}
|
||||
and $cathash->{$key}->{type} eq "application" )
|
||||
{
|
||||
$apphash->{$key} = $cathash->{$key};
|
||||
}
|
||||
}
|
||||
|
||||
# display applications first
|
||||
if ( scalar keys %$apphash > 0 ) {
|
||||
$html .= "<ul>";
|
||||
foreach $key ( keys %$apphash ) {
|
||||
$html .= $self->_displayConfApplication( $key, $apphash->{$key} );
|
||||
}
|
||||
$html .= "</ul>";
|
||||
}
|
||||
|
||||
# Display subcategories
|
||||
foreach $key ( keys %$cathash ) {
|
||||
next if $key =~ /(type|options|catname)/;
|
||||
if ( $cathash->{$key}->{type}
|
||||
and $cathash->{$key}->{type} eq "category" )
|
||||
{
|
||||
$html .=
|
||||
$self->_displayConfCategory( $key, $cathash->{$key}, $catlevel );
|
||||
}
|
||||
}
|
||||
|
||||
# Close HTML list
|
||||
$html .= "</li>\n";
|
||||
$html .= "</ul>\n";
|
||||
|
||||
return $html;
|
||||
}
|
||||
|
||||
## @method private string _displayConfApplication(string appid, hashref apphash)
|
||||
# Creates HTML code for an application.
|
||||
# @param $appid Application ID
|
||||
# @param $apphash Hash of application elements
|
||||
# @return HTML string
|
||||
sub _displayConfApplication {
|
||||
my $self = shift;
|
||||
my ( $appid, $apphash ) = @_;
|
||||
my $html;
|
||||
my $key;
|
||||
|
||||
# Get application items
|
||||
my $appname = $apphash->{options}->{name} || $appid;
|
||||
my $appuri = $apphash->{options}->{uri} || "";
|
||||
|
||||
# Display application
|
||||
$html .=
|
||||
"<li title=\"$appid\" class=\"appname $appid\"><span>"
|
||||
. ( $appuri ? "<a href=\"$appuri\">$appname</a>" : "<a>$appname</a>" )
|
||||
. "</span>\n";
|
||||
|
||||
# Detect sub applications
|
||||
my $subapphash;
|
||||
foreach $key ( keys %$apphash ) {
|
||||
next if $key =~ /(type|options|catname)/;
|
||||
if ( $apphash->{$key}->{type} eq "application" ) {
|
||||
$subapphash->{$key} = $apphash->{$key};
|
||||
}
|
||||
}
|
||||
|
||||
# Display sub applications
|
||||
if ( scalar keys %$subapphash > 0 ) {
|
||||
$html .= "<ul>";
|
||||
foreach $key ( keys %$subapphash ) {
|
||||
$html .=
|
||||
$self->_displayConfApplication( $key, $subapphash->{$key} );
|
||||
}
|
||||
$html .= "</ul>";
|
||||
}
|
||||
|
||||
$html .= "</li>";
|
||||
return $html;
|
||||
}
|
||||
|
||||
## @method private string _displayConfDescription(string appid, hashref apphash)
|
||||
# Create HTML code for application description.
|
||||
# @param $appid Application ID
|
||||
# @param $apphash Hash
|
||||
# @return HTML string
|
||||
sub _displayConfDescription {
|
||||
my $self = shift;
|
||||
my ( $appid, $apphash ) = @_;
|
||||
my $html = "";
|
||||
my $key;
|
||||
|
||||
if ( defined $apphash->{type} and $apphash->{type} eq "application" ) {
|
||||
|
||||
# Get application items
|
||||
my $appname = $apphash->{options}->{name} || $appid;
|
||||
my $appuri = $apphash->{options}->{uri} || "";
|
||||
my $appdesc = $apphash->{options}->{description};
|
||||
my $applogofile = $apphash->{options}->{logo};
|
||||
my $applogo = $self->{apps}->{imgpath} . $applogofile
|
||||
if $applogofile;
|
||||
|
||||
# Display application description
|
||||
$html .= "<div id=\"$appid\" class=\"appsdesc\">\n";
|
||||
$html .=
|
||||
"<a href=\"$appuri\"><img src=\"$applogo\" alt=\"$appid logo\" /></a>\n"
|
||||
if $applogofile;
|
||||
$html .= "<p class=\"appname\">$appname</p>\n" if defined $appname;
|
||||
$html .= "<p class=\"appdesc\">$appdesc</p>\n" if defined $appdesc;
|
||||
$html .= "</div>\n";
|
||||
}
|
||||
|
||||
# Sublevels
|
||||
foreach $key ( keys %$apphash ) {
|
||||
next if $key =~ /(type|options|catname)/;
|
||||
$html .= $self->_displayConfDescription( $key, $apphash->{$key} );
|
||||
}
|
||||
|
||||
return $html;
|
||||
}
|
||||
|
||||
## @method private string _filter(hashref apphash)
|
||||
# Duplicate hash reference
|
||||
# Remove unauthorized menu elements
|
||||
# Hide empty categories
|
||||
# @param $apphash Menu elements
|
||||
# @return filtered hash
|
||||
sub _filter {
|
||||
my ( $self, $apphash ) = @_;
|
||||
my $filteredHash;
|
||||
my $key;
|
||||
|
||||
# Copy hash reference into a new hash
|
||||
foreach $key ( keys %$apphash ) {
|
||||
$filteredHash->{$key} = $apphash->{$key};
|
||||
}
|
||||
|
||||
# Filter hash
|
||||
$self->_filterHash($filteredHash);
|
||||
|
||||
# Hide empty categories
|
||||
$self->_isCategoryEmpty($filteredHash);
|
||||
|
||||
return $filteredHash;
|
||||
}
|
||||
|
||||
## @method private string _filterHash(hashref apphash)
|
||||
# Remove unauthorized menu elements
|
||||
# @param $apphash Menu elements
|
||||
# @return filtered hash
|
||||
sub _filterHash {
|
||||
my $self = shift;
|
||||
my ($apphash) = @_;
|
||||
my $key;
|
||||
my $appkey;
|
||||
|
||||
foreach $key ( keys %$apphash ) {
|
||||
next if $key =~ /(type|options|catname)/;
|
||||
if ( $apphash->{$key}->{type}
|
||||
and $apphash->{$key}->{type} eq "category" )
|
||||
{
|
||||
|
||||
# Filter the category
|
||||
$self->_filterHash( $apphash->{$key} );
|
||||
}
|
||||
if ( $apphash->{$key}->{type}
|
||||
and $apphash->{$key}->{type} eq "application" )
|
||||
{
|
||||
|
||||
# Find sub applications and filter them
|
||||
foreach $appkey ( keys %{ $apphash->{$key} } ) {
|
||||
next if $appkey =~ /(type|options|catname)/;
|
||||
|
||||
# We have sub elements, so we filter them
|
||||
$self->_filterHash( $apphash->{$key} );
|
||||
}
|
||||
|
||||
# Check rights
|
||||
my $appdisplay = $apphash->{$key}->{options}->{display}
|
||||
|| "auto";
|
||||
my $appuri = $apphash->{$key}->{options}->{uri};
|
||||
|
||||
# Remove if display is "no" or "off"
|
||||
delete $apphash->{$key} and next if ( $appdisplay =~ /^(no|off)$/ );
|
||||
|
||||
# Keep node if display is "yes" or "on"
|
||||
next if ( $appdisplay =~ /^(yes|on)$/ );
|
||||
|
||||
# Check grant function if display is "auto" (this is the default)
|
||||
delete $apphash->{$key} unless ( $self->_grant($appuri) );
|
||||
next;
|
||||
}
|
||||
}
|
||||
|
||||
}
|
||||
|
||||
## @method private void _isCategoryEmpty(hashref apphash)
|
||||
# Check if a category is empty
|
||||
# @param $apphash Menu elements
|
||||
# @return boolean
|
||||
sub _isCategoryEmpty {
|
||||
my $self = shift;
|
||||
my ($apphash) = @_;
|
||||
my $key;
|
||||
|
||||
# Test sub categories
|
||||
foreach $key ( keys %$apphash ) {
|
||||
next if $key =~ /(type|options|catname)/;
|
||||
if ( $apphash->{$key}->{type}
|
||||
and $apphash->{$key}->{type} eq "category" )
|
||||
{
|
||||
delete $apphash->{$key}
|
||||
if $self->_isCategoryEmpty( $apphash->{$key} );
|
||||
}
|
||||
}
|
||||
|
||||
# Test this category
|
||||
if ( $apphash->{type} and $apphash->{type} eq "category" ) {
|
||||
|
||||
# Temporary store 'options'
|
||||
my $tmp_options = $apphash->{options};
|
||||
my $tmp_catname = $apphash->{catname};
|
||||
|
||||
delete $apphash->{type};
|
||||
delete $apphash->{options};
|
||||
delete $apphash->{catname};
|
||||
|
||||
if ( scalar( keys %$apphash ) ) {
|
||||
|
||||
# There are sub categories or sub applications
|
||||
# Restore type and options
|
||||
$apphash->{type} = "category";
|
||||
$apphash->{options} = $tmp_options;
|
||||
$apphash->{catname} = $tmp_catname;
|
||||
|
||||
# Return false
|
||||
return 0;
|
||||
}
|
||||
else {
|
||||
|
||||
# Return true
|
||||
return 1;
|
||||
}
|
||||
}
|
||||
return 0;
|
||||
}
|
||||
|
||||
1;
|
|
@ -39,7 +39,7 @@ sub _modifyPassword {
|
|||
|
||||
# TODO: verify oldpassword
|
||||
unless ( $req->datas->{oldpassword} = $req->param('oldpassword') ) {
|
||||
$self->lmLog( "Portal require old password", 'warn' );
|
||||
$self->logger->warn("Portal require old password");
|
||||
return PE_PP_MUST_SUPPLY_OLD_PASSWORD;
|
||||
}
|
||||
|
||||
|
@ -56,7 +56,7 @@ sub _modifyPassword {
|
|||
# Call password package
|
||||
my $res = $self->modifyPassword( $req, $req->datas->{newpassword} );
|
||||
if ( $res == PE_PASSWORD_OK ) {
|
||||
$self->lmLog( 'Update password in session for ' . $req->user, 'debug' );
|
||||
$self->logger->debug( 'Update password in session for ' . $req->user );
|
||||
my $infos;
|
||||
|
||||
# Store new password if asked
|
||||
|
|
|
@ -33,7 +33,7 @@ sub modifyPassword {
|
|||
if ($@) {
|
||||
|
||||
# If connection isn't available, error is displayed by dbh()
|
||||
$self->lmLog( "DBI password modification error: $@", 'error' )
|
||||
$self->logger->error("DBI password modification error: $@")
|
||||
if ( $self->_dbh );
|
||||
return PE_ERROR;
|
||||
}
|
||||
|
|
|
@ -48,24 +48,18 @@ sub modifyPassword {
|
|||
);
|
||||
|
||||
unless ( $result->code == 0 ) {
|
||||
$self->lmLog(
|
||||
"LDAP modify "
|
||||
$self->logger->error( "LDAP modify "
|
||||
. $self->{ldapPasswordResetAttribute}
|
||||
. " error: "
|
||||
. $result->code,
|
||||
'error'
|
||||
);
|
||||
. $result->code );
|
||||
$self->ldap->unbind;
|
||||
$self->{flags}->{ldapActive} = 0;
|
||||
return PE_LDAPERROR;
|
||||
}
|
||||
|
||||
$self->lmLog(
|
||||
$self->{ldapPasswordResetAttribute}
|
||||
$self->logger->debug( $self->{ldapPasswordResetAttribute}
|
||||
. " set to "
|
||||
. $self->{ldapPasswordResetAttributeValue},
|
||||
'debug'
|
||||
);
|
||||
. $self->{ldapPasswordResetAttributeValue} );
|
||||
}
|
||||
|
||||
return $code;
|
||||
|
|
|
@ -23,7 +23,7 @@ sub changeUrldc {
|
|||
and $self->p->isTrustedUrl($urldc) )
|
||||
{
|
||||
my $ssl = $urldc =~ /^https/;
|
||||
$self->lmLog( 'CDA request', 'debug' );
|
||||
$self->logger->debug('CDA request');
|
||||
|
||||
# Create CDA session
|
||||
if ( my $cdaSession = $self->getApacheSession( undef, kind => "CDA" ) )
|
||||
|
@ -46,10 +46,10 @@ sub changeUrldc {
|
|||
. $self->{conf}->{cookieName} . "cda="
|
||||
. $cdaSession->id;
|
||||
|
||||
$self->lmLog( "CDA redirection to " . $req->{urldc}, 'debug' );
|
||||
$self->logger->debug( "CDA redirection to " . $req->{urldc} );
|
||||
}
|
||||
else {
|
||||
$self->lmLog( "Unable to create CDA session", 'error' );
|
||||
$self->logger->error("Unable to create CDA session");
|
||||
return PE_APACHESESSIONERROR;
|
||||
}
|
||||
}
|
||||
|
|
|
@ -21,15 +21,14 @@ sub forceAuth {
|
|||
# Do not force authentication if last successful authentication is recent
|
||||
my $last_authn_utime = $req->{sessionInfo}->{_lastAuthnUTime} || 0;
|
||||
if ( time() - $last_authn_utime < $self->{portalForceAuthnInterval} ) {
|
||||
$self->lmLog(
|
||||
"Authentication is recent, so do not force authentication for session $req->id",
|
||||
'debug'
|
||||
$self->logger->debug(
|
||||
"Authentication is recent, so do not force authentication for session $req->id"
|
||||
);
|
||||
}
|
||||
else {
|
||||
|
||||
# Else, launch authentication process
|
||||
$self->lmLog( "Force reauthentication for session $req->id", 'debug' );
|
||||
$self->logger->debug("Force reauthentication for session $req->id");
|
||||
$req->steps(
|
||||
[
|
||||
@{ $self->p->beforeAuth },
|
||||
|
|
|
@ -106,8 +106,7 @@ sub _reset {
|
|||
|
||||
# OTHER FORMS
|
||||
if ($mailToken) {
|
||||
$self->lmLog( "Token given for password reset: " . $mailToken,
|
||||
'debug' );
|
||||
$self->logger->debug( "Token given for password reset: " . $mailToken );
|
||||
|
||||
# Check if token is valid
|
||||
my $mailSession = $self->mailott->getToken($mailToken);
|
||||
|
@ -119,7 +118,7 @@ sub _reset {
|
|||
$req->{mail} = $mailSession->{user};
|
||||
$req->datas->{mailAddress} =
|
||||
$mailSession->{ $self->conf->{mailSessionKey} };
|
||||
$self->lmLog( 'User associated to: ' . $req->{mail}, 'debug' );
|
||||
$self->logger->debug( 'User associated to: ' . $req->{mail} );
|
||||
}
|
||||
|
||||
# Check for values posted
|
||||
|
@ -159,7 +158,7 @@ sub _reset {
|
|||
$self->setSecurity($req);
|
||||
return PE_CAPTCHAERROR;
|
||||
}
|
||||
$self->lmLog( "Captcha code verified", 'debug' );
|
||||
$self->logger->debug("Captcha code verified");
|
||||
}
|
||||
elsif ( $self->conf->{requireToken} ) {
|
||||
unless ( $self->ott->getToken($token) ) {
|
||||
|
@ -234,7 +233,7 @@ sub _reset {
|
|||
$req->id( $mailSession->id );
|
||||
}
|
||||
elsif ($mailSession) {
|
||||
$self->lmLog( 'Mail session found: ' . $mailSession->id, 'debug' );
|
||||
$self->logger->debug( 'Mail session found: ' . $mailSession->id );
|
||||
$req->datas->{mailAlreadySent} = 1;
|
||||
}
|
||||
|
||||
|
@ -244,7 +243,7 @@ sub _reset {
|
|||
# Mail session expiration date
|
||||
my $expTimestamp = $mailSession->data->{mailSessionTimeoutTimestamp};
|
||||
|
||||
$self->lmLog( "Mail expiration timestamp: $expTimestamp", 'debug' );
|
||||
$self->logger->debug("Mail expiration timestamp: $expTimestamp");
|
||||
|
||||
$req->datas->{expMailDate} =
|
||||
strftime( "%d/%m/%Y", localtime $expTimestamp );
|
||||
|
@ -254,7 +253,7 @@ sub _reset {
|
|||
# Mail session start date
|
||||
my $startTimestamp = $mailSession->data->{mailSessionStartTimestamp};
|
||||
|
||||
$self->lmLog( "Mail start timestamp: $startTimestamp", 'debug' );
|
||||
$self->logger->debug("Mail start timestamp: $startTimestamp");
|
||||
$req->datas->{startMailDate} =
|
||||
strftime( "%d/%m/%Y", localtime $startTimestamp );
|
||||
$req->datas->{startMailTime} =
|
||||
|
@ -326,7 +325,7 @@ sub _reset {
|
|||
)
|
||||
)
|
||||
{
|
||||
$self->lmLog( 'Unable to send reset mail', 'debug' );
|
||||
$self->logger->debug('Unable to send reset mail');
|
||||
|
||||
# Don't return an error here to avoid enumeration
|
||||
}
|
||||
|
@ -342,7 +341,7 @@ sub _reset {
|
|||
|
||||
sub changePwd {
|
||||
my ( $self, $req ) = @_;
|
||||
$self->lmLog( 'Change password form response', 'debug' );
|
||||
$self->logger->debug('Change password form response');
|
||||
|
||||
if ( my $token = $req->param('token') ) {
|
||||
$req->sessionInfo( $self->ott->getToken($token) );
|
||||
|
@ -368,15 +367,14 @@ sub changePwd {
|
|||
|
||||
# Check if user wants to generate the new password
|
||||
if ( $req->param('reset') ) {
|
||||
$self->lmLog(
|
||||
"Reset password request for " . $req->{sessionInfo}->{_user},
|
||||
'debug' );
|
||||
$self->logger->debug(
|
||||
"Reset password request for " . $req->{sessionInfo}->{_user} );
|
||||
|
||||
# Generate a complex password
|
||||
my $password =
|
||||
$self->gen_password( $self->conf->{randomPasswordRegexp} );
|
||||
|
||||
$self->lmLog( "Generated password: " . $password, 'debug' );
|
||||
$self->logger->debug( "Generated password: " . $password );
|
||||
|
||||
$req->datas->{newpassword} = $password;
|
||||
$req->datas->{confirmpassword} = $password;
|
||||
|
@ -460,7 +458,7 @@ sub setSecurity {
|
|||
|
||||
sub display {
|
||||
my ( $self, $req ) = @_;
|
||||
$self->lmLog( 'Display called with code: ' . $req->error, 'debug' );
|
||||
$self->logger->debug( 'Display called with code: ' . $req->error );
|
||||
my %tplPrm = (
|
||||
PORTAL_URL => $self->conf->{portal},
|
||||
SKIN_PATH => '/static',
|
||||
|
@ -514,25 +512,25 @@ sub display {
|
|||
and !$req->datas->{mailToken}
|
||||
)
|
||||
{
|
||||
$self->lmLog( 'Display form', 'debug' );
|
||||
$self->logger->debug('Display form');
|
||||
$tplPrm{DISPLAY_FORM} = 1;
|
||||
}
|
||||
|
||||
# Display mail confirmation resent form
|
||||
elsif ( $req->error == PE_MAILCONFIRMATION_ALREADY_SENT ) {
|
||||
$self->lmLog( 'Display resend form', 'debug' );
|
||||
$self->logger->debug('Display resend form');
|
||||
$tplPrm{DISPLAY_RESEND_FORM} = 1;
|
||||
}
|
||||
|
||||
# Display confirmation mail sent
|
||||
elsif ( $req->error == PE_MAILCONFIRMOK ) {
|
||||
$self->lmLog( 'Display "confirm mail sent"', 'debug' );
|
||||
$self->logger->debug('Display "confirm mail sent"');
|
||||
$tplPrm{DISPLAY_CONFIRMMAILSENT} = 1;
|
||||
}
|
||||
|
||||
# Display mail sent
|
||||
elsif ( $req->error == PE_MAILOK ) {
|
||||
$self->lmLog( 'Display "mail sent"', 'debug' );
|
||||
$self->logger->debug('Display "mail sent"');
|
||||
$tplPrm{DISPLAY_MAILSENT} = 1;
|
||||
}
|
||||
|
||||
|
@ -542,7 +540,7 @@ sub display {
|
|||
and $req->error != PE_BADMAILTOKEN
|
||||
and $req->error != PE_MAILOK )
|
||||
{
|
||||
$self->lmLog( 'Display password form', 'debug' );
|
||||
$self->logger->debug('Display password form');
|
||||
$tplPrm{DISPLAY_PASSWORD_FORM} = 1;
|
||||
}
|
||||
|
||||
|
|
Some files were not shown because too many files have changed in this diff Show More
Loading…
Reference in New Issue