dani/lemonldap-ng
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Skip registration of OIDC RP when config has errors (#2525)

Browse Source
This commit is contained in:
Maxime Besson 2021-05-01 20:45:24 +02:00
parent 603be4fe1b
commit e50db3f083
1 changed files with 44 additions and 21 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

65
lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Lib/OpenIDConnect.pm
View File

@ -105,8 +105,11 @@ sub loadRPs {
"No OpenID Connect Relying Party found in configuration"); "No OpenID Connect Relying Party found in configuration");
return 1; return 1;
} }
$self->oidcRPList( $self->conf->{oidcRPMetaDataOptions} );
foreach my $rp ( keys %{ $self->oidcRPList } ) { foreach my $rp ( keys %{ $self->conf->{oidcRPMetaDataOptions} || {} } ) {
my $valid = 1;
# Handle attributes
my $attributes = { my $attributes = {
profile => PROFILE, profile => PROFILE,
email => EMAIL, email => EMAIL,
@ -125,50 +128,70 @@ sub loadRPs {
$attributes->{$claim} = \@extraAttributes; $attributes->{$claim} = \@extraAttributes;
} }
} }
$self->rpAttributes->{$rp} = $attributes;
my $rule = $self->oidcRPList->{$rp}->{oidcRPMetaDataOptionsRule}; # Access rule
my $rule = $self->conf->{oidcRPMetaDataOptions}->{$rp}
->{oidcRPMetaDataOptionsRule};
if ( length $rule ) { if ( length $rule ) {
$rule = $self->p->HANDLER->substitute($rule); $rule = $self->p->HANDLER->substitute($rule);
unless ( $rule = $self->p->HANDLER->buildSub($rule) ) { unless ( $rule = $self->p->HANDLER->buildSub($rule) ) {
$self->error( 'OIDC RP rule error: ' $self->logger->error( "Unable to build access rule for RP $rp: "
. $self->p->HANDLER->tsv->{jail}->error ); . $self->p->HANDLER->tsv->{jail}->error );
return 0; $valid = 0;
} }
$self->spRules->{$rp} = $rule;
} }
# Load per-RP macros # Load per-RP macros
my $macros = $self->conf->{oidcRPMetaDataMacros}->{$rp}; my $macros = $self->conf->{oidcRPMetaDataMacros}->{$rp};
my $compiledMacros = {};
for my $macroAttr ( keys %{$macros} ) { for my $macroAttr ( keys %{$macros} ) {
my $macroRule = $macros->{$macroAttr}; my $macroRule = $macros->{$macroAttr};
if ( length $macroRule ) { if ( length $macroRule ) {
$macroRule = $self->p->HANDLER->substitute($macroRule); $macroRule = $self->p->HANDLER->substitute($macroRule);
unless ( $macroRule = $self->p->HANDLER->buildSub($macroRule) ) if ( $macroRule = $self->p->HANDLER->buildSub($macroRule) ) {
{ $compiledMacros->{$macroAttr} = $macroRule;
$self->error( 'OIDC RP macro error: ' }
. $self->p->HANDLER->tsv->{jail}->error ); else {
return 0; $self->logger->error(
"Unable to build macro $macroAttr for RP $rp:"
. $self->p->HANDLER->tsv->{jail}->error );
$valid = 0;
} }
$self->spMacros->{$rp}->{$macroAttr} = $macroRule;
} }
} }
# Load per-RP dynamic scopes # Load per-RP dynamic scopes
my $scopes = $self->conf->{oidcRPMetaDataScopeRules}->{$rp}; my $scopes = $self->conf->{oidcRPMetaDataScopeRules}->{$rp};
my $compiledScopes = {};
for my $scopeName ( keys %{$scopes} ) { for my $scopeName ( keys %{$scopes} ) {
my $scopeRule = $scopes->{$scopeName}; my $scopeRule = $scopes->{$scopeName};
if ( length $scopeRule ) { if ( length $scopeRule ) {
$scopeRule = $self->p->HANDLER->substitute($scopeRule); $scopeRule = $self->p->HANDLER->substitute($scopeRule);
unless ( $scopeRule = $self->p->HANDLER->buildSub($scopeRule) ) if ( $scopeRule = $self->p->HANDLER->buildSub($scopeRule) ) {
{ $compiledScopes->{$scopeName} = $scopeRule;
$self->error( 'OIDC RP dynamic scope rule error: ' }
. $self->p->HANDLER->tsv->{jail}->error ); else {
return 0; $self->logger->error(
"Unable to build scope $scopeName for RP $rp:"
. $self->p->HANDLER->tsv->{jail}->error );
$valid = 0;
} }
$self->spScopeRules->{$rp}->{$scopeName} = $scopeRule;
} }
} }
if ($valid) {
# Register RP
$self->oidcRPList->{$rp} =
$self->conf->{oidcRPMetaDataOptions}->{$rp};
$self->rpAttributes->{$rp} = $attributes;
$self->spMacros->{$rp} = $compiledMacros;
$self->spScopeRules->{$rp} = $compiledScopes;
$self->spRules->{$rp} = $rule;
}
else {
$self->logger->error(
"Relaying Party $rp has errors and will be ignored");
}
} }
return 1; return 1;
} }