Skip registration of OIDC RP when config has errors (#2525)
This commit is contained in:
parent
603be4fe1b
commit
e50db3f083
|
@ -105,8 +105,11 @@ sub loadRPs {
|
||||||
"No OpenID Connect Relying Party found in configuration");
|
"No OpenID Connect Relying Party found in configuration");
|
||||||
return 1;
|
return 1;
|
||||||
}
|
}
|
||||||
$self->oidcRPList( $self->conf->{oidcRPMetaDataOptions} );
|
|
||||||
foreach my $rp ( keys %{ $self->oidcRPList } ) {
|
foreach my $rp ( keys %{ $self->conf->{oidcRPMetaDataOptions} || {} } ) {
|
||||||
|
my $valid = 1;
|
||||||
|
|
||||||
|
# Handle attributes
|
||||||
my $attributes = {
|
my $attributes = {
|
||||||
profile => PROFILE,
|
profile => PROFILE,
|
||||||
email => EMAIL,
|
email => EMAIL,
|
||||||
|
@ -125,50 +128,70 @@ sub loadRPs {
|
||||||
$attributes->{$claim} = \@extraAttributes;
|
$attributes->{$claim} = \@extraAttributes;
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
$self->rpAttributes->{$rp} = $attributes;
|
|
||||||
|
|
||||||
my $rule = $self->oidcRPList->{$rp}->{oidcRPMetaDataOptionsRule};
|
# Access rule
|
||||||
|
my $rule = $self->conf->{oidcRPMetaDataOptions}->{$rp}
|
||||||
|
->{oidcRPMetaDataOptionsRule};
|
||||||
if ( length $rule ) {
|
if ( length $rule ) {
|
||||||
$rule = $self->p->HANDLER->substitute($rule);
|
$rule = $self->p->HANDLER->substitute($rule);
|
||||||
unless ( $rule = $self->p->HANDLER->buildSub($rule) ) {
|
unless ( $rule = $self->p->HANDLER->buildSub($rule) ) {
|
||||||
$self->error( 'OIDC RP rule error: '
|
$self->logger->error( "Unable to build access rule for RP $rp: "
|
||||||
. $self->p->HANDLER->tsv->{jail}->error );
|
. $self->p->HANDLER->tsv->{jail}->error );
|
||||||
return 0;
|
$valid = 0;
|
||||||
}
|
}
|
||||||
$self->spRules->{$rp} = $rule;
|
|
||||||
}
|
}
|
||||||
|
|
||||||
# Load per-RP macros
|
# Load per-RP macros
|
||||||
my $macros = $self->conf->{oidcRPMetaDataMacros}->{$rp};
|
my $macros = $self->conf->{oidcRPMetaDataMacros}->{$rp};
|
||||||
|
my $compiledMacros = {};
|
||||||
for my $macroAttr ( keys %{$macros} ) {
|
for my $macroAttr ( keys %{$macros} ) {
|
||||||
my $macroRule = $macros->{$macroAttr};
|
my $macroRule = $macros->{$macroAttr};
|
||||||
if ( length $macroRule ) {
|
if ( length $macroRule ) {
|
||||||
$macroRule = $self->p->HANDLER->substitute($macroRule);
|
$macroRule = $self->p->HANDLER->substitute($macroRule);
|
||||||
unless ( $macroRule = $self->p->HANDLER->buildSub($macroRule) )
|
if ( $macroRule = $self->p->HANDLER->buildSub($macroRule) ) {
|
||||||
{
|
$compiledMacros->{$macroAttr} = $macroRule;
|
||||||
$self->error( 'OIDC RP macro error: '
|
}
|
||||||
. $self->p->HANDLER->tsv->{jail}->error );
|
else {
|
||||||
return 0;
|
$self->logger->error(
|
||||||
|
"Unable to build macro $macroAttr for RP $rp:"
|
||||||
|
. $self->p->HANDLER->tsv->{jail}->error );
|
||||||
|
$valid = 0;
|
||||||
}
|
}
|
||||||
$self->spMacros->{$rp}->{$macroAttr} = $macroRule;
|
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
# Load per-RP dynamic scopes
|
# Load per-RP dynamic scopes
|
||||||
my $scopes = $self->conf->{oidcRPMetaDataScopeRules}->{$rp};
|
my $scopes = $self->conf->{oidcRPMetaDataScopeRules}->{$rp};
|
||||||
|
my $compiledScopes = {};
|
||||||
for my $scopeName ( keys %{$scopes} ) {
|
for my $scopeName ( keys %{$scopes} ) {
|
||||||
my $scopeRule = $scopes->{$scopeName};
|
my $scopeRule = $scopes->{$scopeName};
|
||||||
if ( length $scopeRule ) {
|
if ( length $scopeRule ) {
|
||||||
$scopeRule = $self->p->HANDLER->substitute($scopeRule);
|
$scopeRule = $self->p->HANDLER->substitute($scopeRule);
|
||||||
unless ( $scopeRule = $self->p->HANDLER->buildSub($scopeRule) )
|
if ( $scopeRule = $self->p->HANDLER->buildSub($scopeRule) ) {
|
||||||
{
|
$compiledScopes->{$scopeName} = $scopeRule;
|
||||||
$self->error( 'OIDC RP dynamic scope rule error: '
|
}
|
||||||
. $self->p->HANDLER->tsv->{jail}->error );
|
else {
|
||||||
return 0;
|
$self->logger->error(
|
||||||
|
"Unable to build scope $scopeName for RP $rp:"
|
||||||
|
. $self->p->HANDLER->tsv->{jail}->error );
|
||||||
|
$valid = 0;
|
||||||
}
|
}
|
||||||
$self->spScopeRules->{$rp}->{$scopeName} = $scopeRule;
|
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
if ($valid) {
|
||||||
|
|
||||||
|
# Register RP
|
||||||
|
$self->oidcRPList->{$rp} =
|
||||||
|
$self->conf->{oidcRPMetaDataOptions}->{$rp};
|
||||||
|
$self->rpAttributes->{$rp} = $attributes;
|
||||||
|
$self->spMacros->{$rp} = $compiledMacros;
|
||||||
|
$self->spScopeRules->{$rp} = $compiledScopes;
|
||||||
|
$self->spRules->{$rp} = $rule;
|
||||||
|
}
|
||||||
|
else {
|
||||||
|
$self->logger->error(
|
||||||
|
"Relaying Party $rp has errors and will be ignored");
|
||||||
|
}
|
||||||
}
|
}
|
||||||
return 1;
|
return 1;
|
||||||
}
|
}
|
||||||
|
|
Loading…
Reference in New Issue
Block a user