Merge branch 'master' into manager-SFA-module
This commit is contained in:
commit
e3b839ee95
2
COPYING
2
COPYING
|
@ -13,7 +13,7 @@ Copyright: 2005-2018, Xavier Guimard <x.guimard@free.fr>
|
|||
2012-2015, David Coutadeur <david.coutadeur@gmail.com>
|
||||
2018, Christophe Maudoux <chrmdx@gmail.com>
|
||||
2006-2015, LINAGORA <info@linagora.com>
|
||||
2015-2017, Savoir-faire Linux <contac@savoirfairelinux.com>
|
||||
2015-2018, Savoir-faire Linux <contac@savoirfairelinux.com>
|
||||
License: GPL-2+
|
||||
|
||||
Files: lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Auth/PAM.pm
|
||||
|
|
12
RELEASE
12
RELEASE
|
@ -21,16 +21,22 @@ Before release
|
|||
--------------
|
||||
|
||||
- Update documentation:
|
||||
$ make documentation
|
||||
|
||||
$ ./script/parameters-for-wiki.pl >/tmp/prmlist.txt
|
||||
|
||||
Replace https://lemonldap-ng.org/documentation/X.X/parameterlist by
|
||||
/tmp/prmlist.txt content
|
||||
|
||||
$ make documentation
|
||||
|
||||
- Translate documentation
|
||||
$ make fr-doc
|
||||
$ make fr-doc
|
||||
|
||||
- Update debian/changelog
|
||||
launch just `dch -r` and force save (":w" and ot ":x")
|
||||
|
||||
- Check Debian packages quality
|
||||
$ cme check dpkg
|
||||
$ cme check dpkg
|
||||
|
||||
For minor release
|
||||
-----------------
|
||||
|
|
|
@ -1,3 +1,4 @@
|
|||
|
||||
* Minimal authn level system (choice only)
|
||||
* (2ndF/OTP mail)
|
||||
* Combination/Choice for password (using session data)
|
||||
|
|
|
@ -46,7 +46,7 @@ Log : $conf->{cfgLog}
|
|||
|
||||
sub updateCache {
|
||||
my $self = shift;
|
||||
my $conf = $self->confAccess->getConf( { noCache => 1, raw => 1 } );
|
||||
my $conf = $self->confAccess->getConf( { noCache => 2 } );
|
||||
die "Must not be launched as root" unless ($>);
|
||||
print STDERR
|
||||
qq{Cache updated to configuration $conf->{cfgNum} for user $>\n};
|
||||
|
|
|
@ -200,7 +200,7 @@ sub getConf {
|
|||
# Store modified configuration in cache
|
||||
$self->setLocalConf($r)
|
||||
if ( $self->{refLocalStorage}
|
||||
and not( $args->{noCache} or $args->{raw} ) );
|
||||
and not( $args->{noCache} == 1 or $args->{raw} ) );
|
||||
|
||||
}
|
||||
}
|
||||
|
|
|
@ -211,7 +211,7 @@ sub virtualHosts {
|
|||
}
|
||||
return $self->sendJSONresponse( $req, $resp );
|
||||
}
|
||||
elsif ( $query =~ /^vhost(?:(?:Aliase|Http)s|Maintenance|Port|Type)$/ ) {
|
||||
elsif ( $query =~ qr/^$virtualHostKeys$/o ) {
|
||||
$self->logger->debug("Query for $vh/$query key");
|
||||
|
||||
# TODO: verify how this is done actually
|
||||
|
|
|
@ -98,10 +98,11 @@ sub unserialize {
|
|||
unless ( utf8::is_utf8($v) ) {
|
||||
$v = encode( 'UTF-8', $v );
|
||||
}
|
||||
$conf->{$k} =
|
||||
( $v =~ /./
|
||||
$conf->{$k} = (
|
||||
$v =~ /./
|
||||
? eval { from_json( $v, { allow_nonref => 1 } ) }
|
||||
: {} );
|
||||
: {}
|
||||
);
|
||||
if ($@) {
|
||||
$Lemonldap::NG::Common::Conf::msg .=
|
||||
"Unable to decode $k, switching to old format.\n";
|
||||
|
|
|
@ -93,7 +93,7 @@ sub statusInit {
|
|||
open STDOUT, ">&$fdout";
|
||||
my $perl_exec = ( $^X =~ /perl/ ) ? $^X : 'perl';
|
||||
exec $perl_exec, '-MLemonldap::NG::Handler::Lib::Status',
|
||||
map( {"-I$_"} @INC ),
|
||||
map( { "-I$_" } @INC ),
|
||||
'-e &Lemonldap::NG::Handler::Lib::Status::run()';
|
||||
}
|
||||
}
|
||||
|
|
|
@ -84,14 +84,18 @@ sub init {
|
|||
my $portal = $conf->{portal};
|
||||
$portal =~ s#https?://([^/]*).*#$1#;
|
||||
$self->csp(
|
||||
"default-src 'self' $portal;frame-ancestors 'none';form-action 'self';"
|
||||
"default-src 'self' $portal;frame-ancestors 'none';form-action 'self';"
|
||||
);
|
||||
|
||||
$self->defaultRoute( $working[0]->defaultRoute );
|
||||
|
||||
# Find out more glyphicones at https://www.w3schools.com/icons/bootstrap_icons_glyphicons.asp
|
||||
my $linksIcons =
|
||||
{ 'conf' => 'cog', 'sessions' => 'duplicate', 'notifications' => 'bell', '2ndFA' => 'wrench' };
|
||||
my $linksIcons = {
|
||||
'conf' => 'cog',
|
||||
'sessions' => 'duplicate',
|
||||
'notifications' => 'bell',
|
||||
'2ndFA' => 'wrench'
|
||||
};
|
||||
|
||||
$self->links( [] );
|
||||
for ( my $i = 0 ; $i < @links ; $i++ ) {
|
||||
|
|
|
@ -62,7 +62,6 @@ sub addRoutes {
|
|||
$self->{hiddenAttributes} //= "_password";
|
||||
}
|
||||
|
||||
|
||||
###################
|
||||
# II. 2FA METHODS #
|
||||
###################
|
||||
|
@ -84,18 +83,17 @@ sub delete2FAKey {
|
|||
return $self->deleteTOTPKey( $req, $session, $skey );
|
||||
}
|
||||
else {
|
||||
return $self->sendError( $req, undef, 666 );
|
||||
return $self->sendError( $req, undef, 400 );
|
||||
}
|
||||
}
|
||||
|
||||
sub add2FAKey {
|
||||
|
||||
my ( $self, $req, $session, $skey ) = @_;
|
||||
my ( $self, $req, $session, $skey ) = @_;
|
||||
|
||||
eval 'use Crypt::U2F::Server::Simple';
|
||||
if ($@) {
|
||||
$self->error("Can't load U2F library: $@");
|
||||
|
||||
return 0;
|
||||
}
|
||||
|
||||
|
@ -129,7 +127,7 @@ sub sfa {
|
|||
my $Key = $params->{sessionType};
|
||||
|
||||
my $res;
|
||||
|
||||
|
||||
# Case 2: list of sessions
|
||||
|
||||
my $whatToTrace = Lemonldap::NG::Handler::PSGI::Main->tsv->{whatToTrace};
|
||||
|
|
|
@ -227,7 +227,7 @@ sub attributes {
|
|||
},
|
||||
localStorageOptions => {
|
||||
type => 'keyTextContainer',
|
||||
documentation => 'Local cache',
|
||||
documentation => 'Local cache parameters',
|
||||
flags => 'hmp',
|
||||
},
|
||||
cfgNum => {
|
||||
|
@ -824,7 +824,7 @@ sub attributes {
|
|||
localSessionStorage => {
|
||||
type => 'PerlModule',
|
||||
default => 'Cache::FileCache',
|
||||
documentation => 'Sessions cache module',
|
||||
documentation => 'Local sessions cache module',
|
||||
},
|
||||
localSessionStorageOptions => {
|
||||
type => 'keyTextContainer',
|
||||
|
@ -1411,8 +1411,12 @@ sub attributes {
|
|||
},
|
||||
|
||||
# CAS IDP
|
||||
casAttr => { type => 'text', },
|
||||
casAttributes => { type => 'keyTextContainer', },
|
||||
casAttr =>
|
||||
{ type => 'text', documentation => 'Pivot attribute for CAS', },
|
||||
casAttributes => {
|
||||
type => 'keyTextContainer',
|
||||
documentation => 'CAS exported attributes',
|
||||
},
|
||||
casAccessControlPolicy => {
|
||||
type => 'select',
|
||||
select => [
|
||||
|
@ -1423,9 +1427,13 @@ sub attributes {
|
|||
default => 'none',
|
||||
documentation => 'CAS access control policy',
|
||||
},
|
||||
casStorage => { type => 'PerlModule', },
|
||||
casStorage => {
|
||||
type => 'PerlModule',
|
||||
documentation => 'Apache::Session module to store CAS user data',
|
||||
},
|
||||
casStorageOptions => {
|
||||
type => 'keyTextContainer',
|
||||
type => 'keyTextContainer',
|
||||
documentation => 'Apache::Session module parameters',
|
||||
},
|
||||
issuerDBCASActivation => {
|
||||
default => 0,
|
||||
|
@ -1444,7 +1452,10 @@ sub attributes {
|
|||
},
|
||||
|
||||
# Partners
|
||||
casAppMetaDataOptions => { type => 'subContainer', },
|
||||
casAppMetaDataOptions => {
|
||||
type => 'subContainer',
|
||||
documentation => 'Root of CAS app options',
|
||||
},
|
||||
casAppMetaDataExportedVars => {
|
||||
type => 'keyTextContainer',
|
||||
default => { cn => 'cn', mail => 'mail', uid => 'uid', },
|
||||
|
@ -1605,8 +1616,14 @@ sub attributes {
|
|||
type => 'bool',
|
||||
documentation => 'SAML force metadata UTF8 conversion',
|
||||
},
|
||||
samlStorage => { type => 'PerlModule', },
|
||||
samlStorageOptions => { type => 'keyTextContainer', },
|
||||
samlStorage => {
|
||||
type => 'PerlModule',
|
||||
documentation => 'Apache::Session module to store SAML user data',
|
||||
},
|
||||
samlStorageOptions => {
|
||||
type => 'keyTextContainer',
|
||||
documentation => 'Apache::Session module parameters',
|
||||
},
|
||||
samlAuthnContextMapPassword => {
|
||||
type => 'int',
|
||||
default => 2,
|
||||
|
@ -2231,9 +2248,12 @@ m{^(?:ldapi://[^/]*/?|\w[\w\-\.]*(?::\d{1,5})?|ldap(?:s|\+tls)?://\w[\w\-\.]*(?:
|
|||
default => 'find',
|
||||
documentation => '"deref" param of Net::LDAP::search()',
|
||||
},
|
||||
mailLDAPFilter => { type => 'text', },
|
||||
LDAPFilter => { type => 'text', },
|
||||
AuthLDAPFilter => { type => 'text', },
|
||||
mailLDAPFilter =>
|
||||
{ type => 'text', documentation => 'LDAP filter for mail search' },
|
||||
LDAPFilter =>
|
||||
{ type => 'text', documentation => 'Default LDAP filter' },
|
||||
AuthLDAPFilter =>
|
||||
{ type => 'text', documentation => 'LDAP filter for auth search' },
|
||||
ldapGroupRecursive => {
|
||||
default => 0,
|
||||
type => 'bool',
|
||||
|
@ -2312,7 +2332,10 @@ m{^(?:ldapi://[^/]*/?|\w[\w\-\.]*(?::\d{1,5})?|ldap(?:s|\+tls)?://\w[\w\-\.]*(?:
|
|||
default => { cn => 'cn', mail => 'mail', uid => 'uid', },
|
||||
documentation => 'CAS exported variables',
|
||||
},
|
||||
casSrvMetaDataOptions => { type => 'subContainer', },
|
||||
casSrvMetaDataOptions => {
|
||||
type => 'subContainer',
|
||||
documentation => 'Root of CAS server options',
|
||||
},
|
||||
casSrvMetaDataOptionsGateway => { type => 'bool', },
|
||||
casSrvMetaDataOptionsProxiedServices => {
|
||||
type => 'keyTextContainer',
|
||||
|
@ -2385,7 +2408,7 @@ m{^(?:ldapi://[^/]*/?|\w[\w\-\.]*(?::\d{1,5})?|ldap(?:s|\+tls)?://\w[\w\-\.]*(?:
|
|||
ns =>
|
||||
'http://auth.example.com/Lemonldap/NG/Common/PSGI/SOAPService',
|
||||
},
|
||||
documentation => 'Demo exported variables',
|
||||
documentation => 'Apache::Session module parameters',
|
||||
},
|
||||
|
||||
# Proxy
|
||||
|
@ -2649,6 +2672,7 @@ m{^(?:ldapi://[^/]*/?|\w[\w\-\.]*(?::\d{1,5})?|ldap(?:s|\+tls)?://\w[\w\-\.]*(?:
|
|||
{ k => 'Custom', v => 'customModule' },
|
||||
]
|
||||
],
|
||||
documentation => 'Hash list of Choice strings',
|
||||
},
|
||||
|
||||
# Combination
|
||||
|
@ -2831,8 +2855,14 @@ m{^(?:ldapi://[^/]*/?|\w[\w\-\.]*(?::\d{1,5})?|ldap(?:s|\+tls)?://\w[\w\-\.]*(?:
|
|||
default => 0,
|
||||
documentation => 'OpenID Connect allow hybrid flow',
|
||||
},
|
||||
oidcStorage => { type => 'PerlModule', },
|
||||
oidcStorageOptions => { type => 'keyTextContainer', },
|
||||
oidcStorage => {
|
||||
type => 'PerlModule',
|
||||
documentation => 'Apache::Session module to store OIDC user data',
|
||||
},
|
||||
oidcStorageOptions => {
|
||||
type => 'keyTextContainer',
|
||||
documentation => 'Apache::Session module parameters',
|
||||
},
|
||||
|
||||
# OpenID Connect metadata nodes
|
||||
oidcOPMetaDataNodes => {
|
||||
|
|
|
@ -342,16 +342,7 @@ llapp.controller 'TreeCtrl', [
|
|||
$scope.showModal('prompt.html', name).then ->
|
||||
n= $scope.result
|
||||
if n
|
||||
node = $scope.addTemplateNode n, 'virtualHost'
|
||||
delete node.nodes[0].cnodes
|
||||
node.nodes[0].nodes = [
|
||||
id: "virtualHosts/new__#{n}/locationRules/default",
|
||||
type: "rule",
|
||||
title: "default",
|
||||
comment: "",
|
||||
re: "default",
|
||||
data: "deny"
|
||||
]
|
||||
$scope.addTemplateNode n, 'virtualHost'
|
||||
|
||||
$scope.duplicateVhost = ->
|
||||
name = if $scope.domain then ".#{$scope.domain.data}" else '.example.com'
|
||||
|
@ -398,10 +389,22 @@ llapp.controller 'TreeCtrl', [
|
|||
title: name
|
||||
type: type
|
||||
nodes: templates type, "new__#{name}"
|
||||
setDefault t.nodes
|
||||
cs.$modelValue.nodes.push t
|
||||
cs.expand()
|
||||
return t
|
||||
|
||||
setDefault = (node) ->
|
||||
for n in node
|
||||
if n.cnodes and n.default
|
||||
delete n.cnodes
|
||||
n._nodes = n.default
|
||||
if n._nodes
|
||||
setDefault n._nodes
|
||||
else if n.default or n.default == 0
|
||||
n.data = n.default
|
||||
node
|
||||
|
||||
_getAll = (node) ->
|
||||
d = $q.defer()
|
||||
d2 = $q.defer()
|
||||
|
|
|
@ -1,4 +1,4 @@
|
|||
// Generated by CoffeeScript 1.10.0
|
||||
// Generated by CoffeeScript 1.12.7
|
||||
|
||||
/*
|
||||
LemonLDAP::NG Manager client
|
||||
|
@ -23,7 +23,7 @@ This file contains:
|
|||
|
||||
llapp.controller('TreeCtrl', [
|
||||
'$scope', '$http', '$location', '$q', '$uibModal', '$translator', '$cookies', '$htmlParams', function($scope, $http, $location, $q, $uibModal, $translator, $cookies, $htmlParams) {
|
||||
var _checkSaveResponse, _download, _getAll, _stoggle, c, id, pathEvent, readError, setHelp;
|
||||
var _checkSaveResponse, _download, _getAll, _stoggle, c, id, pathEvent, readError, setDefault, setHelp;
|
||||
$scope.links = window.links;
|
||||
$scope.menu = $htmlParams.menu;
|
||||
$scope.menulinks = window.menulinks;
|
||||
|
@ -405,21 +405,10 @@ This file contains:
|
|||
field: 'hostname'
|
||||
};
|
||||
return $scope.showModal('prompt.html', name).then(function() {
|
||||
var n, node;
|
||||
var n;
|
||||
n = $scope.result;
|
||||
if (n) {
|
||||
node = $scope.addTemplateNode(n, 'virtualHost');
|
||||
delete node.nodes[0].cnodes;
|
||||
return node.nodes[0].nodes = [
|
||||
{
|
||||
id: "virtualHosts/new__" + n + "/locationRules/default",
|
||||
type: "rule",
|
||||
title: "default",
|
||||
comment: "",
|
||||
re: "default",
|
||||
data: "deny"
|
||||
}
|
||||
];
|
||||
return $scope.addTemplateNode(n, 'virtualHost');
|
||||
}
|
||||
});
|
||||
};
|
||||
|
@ -479,10 +468,27 @@ This file contains:
|
|||
type: type,
|
||||
nodes: templates(type, "new__" + name)
|
||||
};
|
||||
setDefault(t.nodes);
|
||||
cs.$modelValue.nodes.push(t);
|
||||
cs.expand();
|
||||
return t;
|
||||
};
|
||||
setDefault = function(node) {
|
||||
var len, n, o;
|
||||
for (o = 0, len = node.length; o < len; o++) {
|
||||
n = node[o];
|
||||
if (n.cnodes && n["default"]) {
|
||||
delete n.cnodes;
|
||||
n._nodes = n["default"];
|
||||
}
|
||||
if (n._nodes) {
|
||||
setDefault(n._nodes);
|
||||
} else if (n["default"] || n["default"] === 0) {
|
||||
n.data = n["default"];
|
||||
}
|
||||
}
|
||||
return node;
|
||||
};
|
||||
_getAll = function(node) {
|
||||
var d, d2;
|
||||
d = $q.defer();
|
||||
|
|
File diff suppressed because one or more lines are too long
|
@ -1,4 +1,4 @@
|
|||
// Generated by CoffeeScript 1.9.3
|
||||
// Generated by CoffeeScript 1.12.7
|
||||
|
||||
/*
|
||||
* Session explorer
|
||||
|
|
|
@ -106,10 +106,11 @@ sub verify {
|
|||
# Prepare args
|
||||
my $args;
|
||||
foreach my $k ( keys %{ $self->{vrfyAttrs} } ) {
|
||||
$args->{$k} =
|
||||
( $k eq 'code'
|
||||
$args->{$k} = (
|
||||
$k eq 'code'
|
||||
? $code
|
||||
: $req->sessionInfo->{ $self->{vrfyAttrs}->{$k} } );
|
||||
: $req->sessionInfo->{ $self->{vrfyAttrs}->{$k} }
|
||||
);
|
||||
}
|
||||
|
||||
# Launch REST request
|
||||
|
|
|
@ -137,24 +137,16 @@ sub selfRegister {
|
|||
}
|
||||
);
|
||||
}
|
||||
|
||||
# Get or generate master key
|
||||
elsif ( $action eq 'unregister' ) {
|
||||
$self->p->updatePersistentSession( $req,
|
||||
{ _totp2fSecret => '' }
|
||||
);
|
||||
|
||||
# Get or generate master key
|
||||
elsif ( $action eq 'unregister' ) {
|
||||
$self->p->updatePersistentSession( $req, { _totp2fSecret => '' } );
|
||||
$self->userLogger->notice('TOTP unregistration succeed');
|
||||
return [ 200, [ 'Content-Type' => 'application/json' ],
|
||||
['{"result":1}'] ];
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
}
|
||||
|
||||
|
||||
|
||||
|
||||
}
|
||||
|
||||
1;
|
||||
|
|
|
@ -74,18 +74,16 @@ sub run {
|
|||
return [ 200, [ 'Content-Type' => 'application/json' ], [$challenge] ];
|
||||
}
|
||||
if ( $action eq 'unregistration' ) {
|
||||
$self->p->updatePersistentSession(
|
||||
$req,
|
||||
{
|
||||
_u2fKeyHandle => '',
|
||||
_u2fUserKey => ''
|
||||
}
|
||||
);
|
||||
$self->userLogger->notice('U2F key unregistration succeed');
|
||||
return [
|
||||
200, [ 'Content-Type' => 'application/json' ],
|
||||
['{"result":1}']
|
||||
];
|
||||
$self->p->updatePersistentSession(
|
||||
$req,
|
||||
{
|
||||
_u2fKeyHandle => '',
|
||||
_u2fUserKey => ''
|
||||
}
|
||||
);
|
||||
$self->userLogger->notice('U2F key unregistration succeed');
|
||||
return [ 200, [ 'Content-Type' => 'application/json' ],
|
||||
['{"result":1}'] ];
|
||||
my $err = Crypt::U2F::Server::Simple::lastError();
|
||||
$self->userLogger->warn("U2F Unregistration failed: $err");
|
||||
return $self->p->sendError( $req, $err, 200 );
|
||||
|
@ -117,6 +115,7 @@ sub run {
|
|||
}
|
||||
my $res =
|
||||
( $req->datas->{crypter}->authenticationVerify($resp) ? 1 : 0 );
|
||||
|
||||
#$self->userLogger->notice("res=$res");
|
||||
return [
|
||||
200, [ 'Content-Type' => 'application/json' ],
|
||||
|
|
|
@ -85,6 +85,7 @@ sub verify {
|
|||
return $self->fail($req);
|
||||
}
|
||||
$self->logger->debug("Get challenge: $challenge");
|
||||
|
||||
#eval { $challenge = JSON::from_json($challenge)->{challenge} };
|
||||
if ( not $req->datas->{crypter}->setChallenge($challenge) ) {
|
||||
$self->logger->error(
|
||||
|
|
|
@ -177,8 +177,7 @@ sub try {
|
|||
|
||||
# On error, restart authentication with next scheme
|
||||
if ( $res > PE_OK ) {
|
||||
$self->logger->info(
|
||||
qq'Scheme "$name" returned $res, trying next');
|
||||
$self->logger->info(qq'Scheme "$name" returned $res, trying next');
|
||||
$req->datas->{dataKeep}->{combinationTry}++;
|
||||
$req->steps( [ @{ $req->datas->{combinationSteps} } ] );
|
||||
$req->continue(1);
|
||||
|
|
|
@ -33,6 +33,13 @@ sub init {
|
|||
|
||||
sub extractFormInfo {
|
||||
my ( $self, $req ) = @_;
|
||||
|
||||
if ( $req->datas->{_krbUser} ) {
|
||||
$self->logger->debug( 'Kerberos ticket already validated for '
|
||||
. $req->datas->{_krbUser} );
|
||||
return PE_OK;
|
||||
}
|
||||
|
||||
my $auth = $req->env->{HTTP_AUTHORIZATION};
|
||||
unless ($auth) {
|
||||
|
||||
|
@ -138,7 +145,7 @@ sub extractFormInfo {
|
|||
return PE_ERROR;
|
||||
}
|
||||
$self->userLogger->notice("$client_name authentified by Kerberos");
|
||||
$req->{_krbUser} = $client_name;
|
||||
$req->datas->{_krbUser} = $client_name;
|
||||
if ( $self->conf->{krbRemoveDomain} ) {
|
||||
$client_name =~ s/^(.*)@.*$/$1/;
|
||||
}
|
||||
|
@ -157,7 +164,7 @@ sub authLogout {
|
|||
sub setAuthSessionInfo {
|
||||
my ( $self, $req ) = @_;
|
||||
$req->{sessionInfo}->{authenticationLevel} = $self->conf->{krbAuthnLevel};
|
||||
$req->{sessionInfo}->{_krbUser} = $req->{_krbUser};
|
||||
$req->{sessionInfo}->{_krbUser} = $req->datas->{_krbUser};
|
||||
PE_OK;
|
||||
}
|
||||
|
||||
|
|
|
@ -733,7 +733,7 @@ sub extractFormInfo {
|
|||
my $res = $self->p->deleteSession($req);
|
||||
return (
|
||||
$res eq PE_LOGOUT_OK ? PE_SENDRESPONSE : $res );
|
||||
}
|
||||
}
|
||||
]
|
||||
);
|
||||
|
||||
|
|
|
@ -901,7 +901,7 @@ sub token {
|
|||
|
||||
unless ($codeSession) {
|
||||
$self->logger->error("Unable to find OIDC session $code");
|
||||
$self->p->sendError( $req, 'invalid_request', 400 );
|
||||
return $self->p->sendError( $req, 'invalid_request', 400 );
|
||||
}
|
||||
|
||||
# Check we have the same redirect_uri value
|
||||
|
@ -909,7 +909,7 @@ sub token {
|
|||
{
|
||||
$self->userLogger->error( "Provided redirect_uri is different from "
|
||||
. $codeSession->{redirect_uri} );
|
||||
$self->p->sendError( $req, 'invalid_request', 400 );
|
||||
return $self->p->sendError( $req, 'invalid_request', 400 );
|
||||
}
|
||||
|
||||
# Get user identifier
|
||||
|
@ -921,7 +921,7 @@ sub token {
|
|||
$self->userLogger->error(
|
||||
"Unable to find user session linked to OIDC session $code");
|
||||
$codeSession->remove();
|
||||
$self->p->sendError( $req, 'invalid_request', 400 );
|
||||
return $self->p->sendError( $req, 'invalid_request', 400 );
|
||||
}
|
||||
|
||||
my $user_id_attribute =
|
||||
|
@ -947,7 +947,7 @@ sub token {
|
|||
$self->userLogger->error(
|
||||
"Unable to create OIDC session for access_token");
|
||||
$codeSession->remove();
|
||||
$self->p->sendError( $req, 'invalid_request', 400 );
|
||||
return $self->p->sendError( $req, 'invalid_request', 400 );
|
||||
}
|
||||
|
||||
my $access_token = $accessTokenSession->id;
|
||||
|
@ -1102,7 +1102,7 @@ sub registration {
|
|||
# Check dynamic registration is allowed
|
||||
unless ( $self->conf->{oidcServiceAllowDynamicRegistration} ) {
|
||||
$self->logger->error("Dynamic registration is not allowed");
|
||||
$self->p->sendError( $req, 'server_error' );
|
||||
return $self->p->sendError( $req, 'server_error' );
|
||||
}
|
||||
|
||||
# Get client metadata
|
||||
|
|
|
@ -97,6 +97,7 @@ sub bind {
|
|||
unless ($self->ldap
|
||||
and $self->ldap->root_dse( attrs => ['supportedLDAPVersion'] ) )
|
||||
{
|
||||
$self->ldap->DESTROY if ( $self->ldap );
|
||||
$self->ldap( $self->newLdap );
|
||||
}
|
||||
return undef unless ( $self->ldap );
|
||||
|
|
|
@ -95,7 +95,7 @@ sub getToken {
|
|||
$self->logger->notice("Bad (or expired) token $id");
|
||||
return undef;
|
||||
}
|
||||
$self->cache->remove($id) unless($keep);
|
||||
$self->cache->remove($id) unless ($keep);
|
||||
return from_json( $data, { allow_nonref => 1 } );
|
||||
}
|
||||
else {
|
||||
|
|
|
@ -178,24 +178,32 @@ sub sregHook {
|
|||
|
||||
# else build message and return 0
|
||||
else {
|
||||
my (@mopt,@mreq);
|
||||
my ( @mopt, @mreq );
|
||||
|
||||
# No choice for requested parameters: just an information
|
||||
foreach my $k (@req) {
|
||||
utf8::decode( $msg{req}->{$k} );
|
||||
push @mreq, {k=>$k,m=>$msg{req}->{$k}};
|
||||
push @mreq, { k => $k, m => $msg{req}->{$k} };
|
||||
}
|
||||
|
||||
# For optional parameters: checkboxes are displayed
|
||||
foreach my $k (@opt) {
|
||||
utf8::decode( $msg{opt}->{$k} );
|
||||
push @mopt,{k=>$k,m=>$msg{opt}->{$k},c=>( $ag{$k} ? 'checked' : '' )};
|
||||
push @mopt,
|
||||
{
|
||||
k => $k,
|
||||
m => $msg{opt}->{$k},
|
||||
c => ( $ag{$k} ? 'checked' : '' )
|
||||
};
|
||||
}
|
||||
|
||||
$req->datas->{_openIdTrustExtMsg} .= $self->loadTemplate('openIdTrust',params => {
|
||||
required => \@mreq,
|
||||
optional => \@mopt,
|
||||
});
|
||||
$req->datas->{_openIdTrustExtMsg} .= $self->loadTemplate(
|
||||
'openIdTrust',
|
||||
params => {
|
||||
required => \@mreq,
|
||||
optional => \@mopt,
|
||||
}
|
||||
);
|
||||
|
||||
$self->logger->debug('Building validation form');
|
||||
return ( 0, $prm );
|
||||
|
|
|
@ -101,7 +101,7 @@ sub _redirect {
|
|||
# Restore urldc if auth doesn't need to dial with browser
|
||||
$self->restoreRequest( $req, $ir );
|
||||
return $self->run( @_, @path );
|
||||
}
|
||||
}
|
||||
]
|
||||
);
|
||||
}
|
||||
|
|
|
@ -24,9 +24,10 @@ sub init {
|
|||
if ( my $rules = $self->conf->{autoSigninRules} ) {
|
||||
my $safe = Safe->new;
|
||||
foreach my $id ( sort keys %$rules ) {
|
||||
my $sub = $safe->reval('sub{my($env)=@_;return ('.$rules->{$id}.')}');
|
||||
my $sub =
|
||||
$safe->reval( 'sub{my($env)=@_;return (' . $rules->{$id} . ')}' );
|
||||
if ($@) {
|
||||
$self->error('Bad Autologin rule "'.$rules->{$id}.': $@');
|
||||
$self->error( 'Bad Autologin rule "' . $rules->{$id} . ': $@' );
|
||||
return 0;
|
||||
}
|
||||
$id =~ s/^\s*([\w\-\@]+)\s*/$1/;
|
||||
|
|
|
@ -24,8 +24,12 @@ SKIP: {
|
|||
skip 'DBD::SQLite not found', $maintests;
|
||||
}
|
||||
my $dbh = DBI->connect("dbi:SQLite:dbname=t/userdb.db");
|
||||
$dbh->do('CREATE TABLE users (user text,password text,name text,uid text,cn text,mail text)');
|
||||
$dbh->do("INSERT INTO users VALUES ('dwho','dwho','Doctor who','dwho','Doctor who','dwho\@badwolf.org')");
|
||||
$dbh->do(
|
||||
'CREATE TABLE users (user text,password text,name text,uid text,cn text,mail text)'
|
||||
);
|
||||
$dbh->do(
|
||||
"INSERT INTO users VALUES ('dwho','dwho','Doctor who','dwho','Doctor who','dwho\@badwolf.org')"
|
||||
);
|
||||
|
||||
# Initialization
|
||||
ok( $issuer = issuer(), 'Issuer portal' );
|
||||
|
|
|
@ -37,11 +37,12 @@ SKIP: {
|
|||
krbByJs => 1,
|
||||
}
|
||||
}
|
||||
);
|
||||
ok( $res = $client->_get( '/', accept => 'text/html' ), 'Simple access' );
|
||||
ok( $res->[2]->[0] =~ /script.*kerberos\.js/s, 'Found Kerberos JS' );
|
||||
my ( $host, $url, $query ) = expectForm( $res, '#');
|
||||
# TODO
|
||||
);
|
||||
ok( $res = $client->_get( '/', accept => 'text/html' ), 'Simple access' );
|
||||
ok( $res->[2]->[0] =~ /script.*kerberos\.js/s, 'Found Kerberos JS' );
|
||||
my ( $host, $url, $query ) = expectForm( $res, '#' );
|
||||
|
||||
# TODO
|
||||
}
|
||||
count($maintests);
|
||||
clean_sessions();
|
||||
|
|
|
@ -83,7 +83,7 @@ SKIP: {
|
|||
$pwd = $2;
|
||||
ok( $user eq 'fbar', 'Get good login' );
|
||||
|
||||
my $postString = 'user='.$user.'&password='.$pwd;
|
||||
my $postString = 'user=' . $user . '&password=' . $pwd;
|
||||
ok(
|
||||
$res = $client->_post(
|
||||
'/', IO::String->new($postString),
|
||||
|
|
|
@ -34,10 +34,10 @@ SKIP: {
|
|||
authentication => 'LDAP',
|
||||
userDB => 'Same',
|
||||
passwordDB => 'LDAP',
|
||||
ldapServer => 'ldap://127.0.0.1:19389/',
|
||||
ldapBase => 'ou=users,dc=example,dc=com',
|
||||
managerDn => 'cn=admin,dc=example,dc=com',
|
||||
managerPassword => 'admin',
|
||||
ldapServer => 'ldap://127.0.0.1:19389/',
|
||||
ldapBase => 'ou=users,dc=example,dc=com',
|
||||
managerDn => 'cn=admin,dc=example,dc=com',
|
||||
managerPassword => 'admin',
|
||||
captcha_mail_enabled => 0,
|
||||
portalDisplayResetPassword => 1,
|
||||
}
|
||||
|
|
|
@ -7,7 +7,7 @@ require './lemonldap-ng-manager/lib/Lemonldap/NG/Manager/Build/Attributes.pm';
|
|||
require './lemonldap-ng-common/lib/Lemonldap/NG/Common/Conf/ReConstants.pm';
|
||||
|
||||
my $rmg =
|
||||
"^(?:(?:$Lemonldap::NG::Common::Conf::ReConstants::virtualHostKeys)|(?:$Lemonldap::NG::Common::Conf::ReConstants::casAppMetaDataNodeKeys)|(?:$Lemonldap::NG::Common::Conf::ReConstants::casSrvMetaDataNodeKeys)|(?:$Lemonldap::NG::Common::Conf::ReConstants::oidcOPMetaDataNodeKeys)|(?:$Lemonldap::NG::Common::Conf::ReConstants::oidcRPMetaDataNodeKeys)|(?:$Lemonldap::NG::Common::Conf::ReConstants::samlIDPMetaDataNodeKeys)|(?:$Lemonldap::NG::Common::Conf::ReConstants::samlSPMetaDataNodeKeys)|(?:$Lemonldap::NG::Common::Conf::ReConstants::specialNodeKeys)|(.*Options))\$";
|
||||
"^(?:(?:$Lemonldap::NG::Common::Conf::ReConstants::virtualHostKeys)|(?:$Lemonldap::NG::Common::Conf::ReConstants::casAppMetaDataNodeKeys)|(?:$Lemonldap::NG::Common::Conf::ReConstants::casSrvMetaDataNodeKeys)|(?:$Lemonldap::NG::Common::Conf::ReConstants::oidcOPMetaDataNodeKeys)|(?:$Lemonldap::NG::Common::Conf::ReConstants::oidcRPMetaDataNodeKeys)|(?:$Lemonldap::NG::Common::Conf::ReConstants::samlIDPMetaDataNodeKeys)|(?:$Lemonldap::NG::Common::Conf::ReConstants::samlSPMetaDataNodeKeys)|(?:$Lemonldap::NG::Common::Conf::ReConstants::specialNodeKeys))\$";
|
||||
$rmg = qr/$rmg/;
|
||||
|
||||
my $ignore = qr/^(?:virtualHosts)$/;
|
||||
|
|
Loading…
Reference in New Issue
Block a user