Add restExportSecretKeys option (#1799)

debian/liblemonldap-ng-handler-perl.cron.d

@@ -1,4 +1,4 @@
 #
 # Regular cron jobs for LemonLDAP::NG Handler
 #
-17-59/30 *	* * *	www-data	[ -x /usr/share/lemonldap-ng/bin/purgeLocalCache ] && /usr/share/lemonldap-ng/bin/purgeLocalCache
+1 *	* * *	www-data	[ -x /usr/share/lemonldap-ng/bin/purgeLocalCache ] && /usr/share/lemonldap-ng/bin/purgeLocalCache

fastcgi-server/man/llng-fastcgi-server.1p

@@ -133,7 +133,7 @@
 .\" ========================================================================
 .\"
 .IX Title "llng-fastcgi-server 1"
-.TH llng-fastcgi-server 1 "2019-06-06" "perl v5.28.1" "User Contributed Perl Documentation"
+.TH llng-fastcgi-server 1 "2019-06-13" "perl v5.28.1" "User Contributed Perl Documentation"
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l

lemonldap-ng-common/lib/Lemonldap/NG/Common/Conf/Constants.pm

@@ -24,7 +24,7 @@ use constant MANAGERSECTION  => "manager";
 use constant SESSIONSEXPLORERSECTION => "sessionsExplorer";
 use constant APPLYSECTION            => "apply";
 our $hashParameters = qr/^(?:(?:l(?:o(?:ca(?:lSessionStorageOption|tionRule)|goutService)|dapExportedVar|wp(?:Ssl)?Opt)|(?:(?:d(?:emo|bi)|facebook|webID)ExportedVa|exported(?:Heade|Va)|issuerDBGetParamete)r|re(?:moteGlobalStorageOption|st2f(?:Verify|Init)Arg|loadUrl)|g(?:r(?:antSessionRule|oup)|lobalStorageOption)|n(?:otificationStorageOption|ginxCustomHandler)|macro)s|o(?:idc(?:RPMetaData(?:(?:Option(?:sExtraClaim)?|ExportedVar)s|Node)|OPMetaData(?:(?:ExportedVar|Option)s|J(?:SON|WKS)|Node)|S(?:erviceMetaDataAuthnContext|torageOptions))|penIdExportedVars)|s(?:aml(?:S(?:PMetaData(?:(?:ExportedAttribute|Option)s|Node|XML)|torageOptions)|IDPMetaData(?:(?:ExportedAttribute|Option)s|Node|XML))|essionDataToRemember|laveExportedVars)|c(?:as(?:S(?:rvMetaData(?:(?:ExportedVar|Option)s|Node)|torageOptions)|A(?:ppMetaData(?:(?:ExportedVar|Option)s|Node)|ttributes))|(?:ustomAddParam|ombModule)s)|p(?:ersistentStorageOptions|o(?:rtalSkinRules|st))|a(?:ut(?:hChoiceMod|oSigninR)ules|pplicationList)|v(?:hostOptions|irtualHost)|S(?:MTPTLSOpts|SLVarIf))$/;
-our $boolKeys = qr/^(?:s(?:aml(?:IDP(?:MetaDataOptions(?:(?:Check(?:S[LS]OMessageSignatur|Audienc|Tim)|IsPassiv)e|A(?:llow(?:LoginFromIDP|ProxiedAuthn)|daptSessionUtime)|Force(?:Authn|UTF8)|StoreSAMLToken|RelayStateURL)|SSODescriptorWantAuthnRequestsSigned)|S(?:P(?:MetaDataOptions(?:(?:CheckS[LS]OMessageSignatur|OneTimeUs)e|EnableIDPInitiatedURL|ForceUTF8)|SSODescriptor(?:WantAssertion|AuthnRequest)sSigned)|erviceUseCertificateInResponse)|DiscoveryProtocol(?:Activation|IsPassive)|CommonDomainCookieActivation|UseQueryStringSpecific|MetadataForceUTF8)|ingle(?:Session(?:UserByIP)?|(?:UserBy)?IP)|oap(?:Session|Config)Server|t(?:ayConnecte|orePasswor)d|kipRenewConfirmation|howLanguages|slByAjax)|o(?:idc(?:ServiceAllow(?:(?:AuthorizationCode|Implicit|Hybrid)Flow|DynamicRegistration)|RPMetaDataOptions(?:LogoutSessionRequired|BypassConsent|RequirePKCE|Public)|OPMetaDataOptions(?:(?:CheckJWTSignatur|UseNonc)e|StoreIDToken))|ldNotifFormat)|p(?:ortal(?:ErrorOn(?:ExpiredSession|MailNotFound)|DisplayRe(?:setPassword|gister)|(?:CheckLogin|Statu)s|OpenLinkInNewWindow|RequireOldPassword|ForceAuthn|AntiFrame)|roxyUseSoap)|l(?:dap(?:(?:Group(?:DecodeSearchedValu|Recursiv)|UsePasswordResetAttribut)e|(?:AllowResetExpired|Set)Password|ChangePasswordAsUser|PpolicyControl)|oginHistoryEnabled)|c(?:a(?:ptcha_(?:register|login|mail)_enabled|sSrvMetaDataOptions(?:Gateway|Renew))|heck(?:User(?:Display(?:PersistentInfo|EmptyValues))?|State|XSS)|orsEnabled|da)|i(?:ssuerDB(?:OpenID(?:Connect)?|SAML|CAS|Get)Activation|mpersonationSkipEmptyValues)|to(?:tp2f(?:UserCan(?:Chang|Remov)eKey|DisplayExistingSecret)|kenUseGlobalStorage)|u(?:se(?:RedirectOn(?:Forbidden|Error)|SafeJail)|2fUserCanRemoveKey|pgradeSession)|no(?:tif(?:ication(?:Server)?|y(?:Deleted|Other))|AjaxHook)|(?:mai(?:lOnPasswordChang|ntenanc)|vhostMaintenanc)e|(?:(?:rest(?:Session|Config)|wsdl)Serv|activeTim)er|h(?:ideOldPassword|ttpOnly)|yubikey2fUserCanRemoveKey|krb(?:RemoveDomain|ByJs)|dbiDynamicHashEnabled|bruteForceProtection)$/;
+our $boolKeys = qr/^(?:s(?:aml(?:IDP(?:MetaDataOptions(?:(?:Check(?:S[LS]OMessageSignatur|Audienc|Tim)|IsPassiv)e|A(?:llow(?:LoginFromIDP|ProxiedAuthn)|daptSessionUtime)|Force(?:Authn|UTF8)|StoreSAMLToken|RelayStateURL)|SSODescriptorWantAuthnRequestsSigned)|S(?:P(?:MetaDataOptions(?:(?:CheckS[LS]OMessageSignatur|OneTimeUs)e|EnableIDPInitiatedURL|ForceUTF8)|SSODescriptor(?:WantAssertion|AuthnRequest)sSigned)|erviceUseCertificateInResponse)|DiscoveryProtocol(?:Activation|IsPassive)|CommonDomainCookieActivation|UseQueryStringSpecific|MetadataForceUTF8)|ingle(?:Session(?:UserByIP)?|(?:UserBy)?IP)|oap(?:Session|Config)Server|t(?:ayConnecte|orePasswor)d|kipRenewConfirmation|howLanguages|slByAjax)|o(?:idc(?:ServiceAllow(?:(?:AuthorizationCode|Implicit|Hybrid)Flow|DynamicRegistration)|RPMetaDataOptions(?:LogoutSessionRequired|BypassConsent|RequirePKCE|Public)|OPMetaDataOptions(?:(?:CheckJWTSignatur|UseNonc)e|StoreIDToken))|ldNotifFormat)|p(?:ortal(?:ErrorOn(?:ExpiredSession|MailNotFound)|DisplayRe(?:setPassword|gister)|(?:CheckLogin|Statu)s|OpenLinkInNewWindow|RequireOldPassword|ForceAuthn|AntiFrame)|roxyUseSoap)|l(?:dap(?:(?:Group(?:DecodeSearchedValu|Recursiv)|UsePasswordResetAttribut)e|(?:AllowResetExpired|Set)Password|ChangePasswordAsUser|PpolicyControl)|oginHistoryEnabled)|c(?:a(?:ptcha_(?:register|login|mail)_enabled|sSrvMetaDataOptions(?:Gateway|Renew))|heck(?:User(?:Display(?:PersistentInfo|EmptyValues))?|State|XSS)|orsEnabled|da)|i(?:ssuerDB(?:OpenID(?:Connect)?|SAML|CAS|Get)Activation|mpersonationSkipEmptyValues)|to(?:tp2f(?:UserCan(?:Chang|Remov)eKey|DisplayExistingSecret)|kenUseGlobalStorage)|u(?:se(?:RedirectOn(?:Forbidden|Error)|SafeJail)|2fUserCanRemoveKey|pgradeSession)|no(?:tif(?:ication(?:Server)?|y(?:Deleted|Other))|AjaxHook)|(?:mai(?:lOnPasswordChang|ntenanc)|vhostMaintenanc)e|rest(?:(?:Session|Config)Server|ExportSecretKeys)|h(?:ideOldPassword|ttpOnly)|yubikey2fUserCanRemoveKey|(?:activeTim|wsdlServ)er|krb(?:RemoveDomain|ByJs)|dbiDynamicHashEnabled|bruteForceProtection)$/;
 
 our @sessionTypes = ( 'remoteGlobal', 'global', 'localSession', 'persistent', 'saml', 'oidc', 'cas' );
 

lemonldap-ng-manager/lib/Lemonldap/NG/Manager/Attributes.pm

@@ -2512,6 +2512,10 @@ qr/(?:(?:https?):\/\/(?:(?:(?:(?:(?:(?:[a-zA-Z0-9][-a-zA-Z0-9]*)?[a-zA-Z0-9])[.]
             'default' => 0,
             'type'    => 'bool'
         },
+        'restExportSecretKeys' => {
+            'default' => 0,
+            'type'    => 'bool'
+        },
         'restPwdConfirmUrl' => {
             'type' => 'url'
         },

lemonldap-ng-manager/lib/Lemonldap/NG/Manager/Build/Attributes.pm

@@ -22,7 +22,7 @@ sub perlExpr {
     my $err = join( '',
         grep { $_ =~ /Undefined subroutine/ ? () : $_ } split( /\n/, $@ ) );
     return $err ? ( 1, "__badExpression__: $err" ) : (1);
-};
+}
 
 my $url = $RE{URI}{HTTP}{ -scheme => "https?" };
 $url =~ s/(?<=[^\\])\$/\\\$/g;
@@ -1628,6 +1628,12 @@ sub attributes {
             type          => 'bool',
             documentation => 'Enable REST session server',
         },
+        restExportSecretKeys => {
+            default => 0,
+            type    => 'bool',
+            documentation =>
+              'Allow to export secret keys in REST session server',
+        },
         restConfigServer => {
             default       => 0,
             type          => 'bool',

lemonldap-ng-manager/lib/Lemonldap/NG/Manager/Build/Tree.pm

@@ -564,9 +564,10 @@ sub tree {
                             help  => 'portalservers.html',
                             form  => 'simpleInputContainer',
                             nodes => [
-                                'wsdlServer',       'restSessionServer',
-                                'restConfigServer', 'soapSessionServer',
-                                'soapConfigServer', 'exportedAttr',
+                                'wsdlServer',           'restSessionServer',
+                                'restExportSecretKeys', 'restConfigServer',
+                                'soapSessionServer',    'soapConfigServer',
+                                'exportedAttr',
                             ]
                         },
                         {
@@ -813,9 +814,12 @@ sub tree {
                                     help  => 'security.html#portal',
                                     form  => 'simpleInputContainer',
                                     nodes => [
-                                        'corsEnabled', 'corsAllow_Credentials', 
-                                        'corsAllow_Headers',  'corsAllow_Methods',
-                                        'corsAllow_Origin',    'corsExpose_Headers',
+                                        'corsEnabled',
+                                        'corsAllow_Credentials',
+                                        'corsAllow_Headers',
+                                        'corsAllow_Methods',
+                                        'corsAllow_Origin',
+                                        'corsExpose_Headers',
                                         'corsMax_Age',
                                     ]
                                 },

lemonldap-ng-manager/site/htdocs/static/languages/ar.json

@@ -697,6 +697,7 @@
 "rest2fLogo":"شعار",
 "rest2fVerifyArgs":"Verify Arguments",
 "rest2fVerifyUrl":"Verify URL",
+"restExportSecretKeys":"Export secret attributes in REST",
 "restParams":"معايير ريست",
 "restPwdConfirmUrl":"عنوان اليو آر إل لتأكيد كلمة المرور",
 "restPwdModifyUrl":"عنوان اليو آر إل لتغيير كلمة المرور",
@@ -1002,4 +1003,4 @@
 "samlRelayStateTimeout":"تناوب حالة مهلة الجلسة ",
 "samlUseQueryStringSpecific":"استخدام أسلوب query_string المعين",
 "samlOverrideIDPEntityID":"Override Entity ID when acting as IDP"
-}
+}

lemonldap-ng-manager/site/htdocs/static/languages/de.json

@@ -697,6 +697,7 @@
 "rest2fLogo":"Logo",
 "rest2fVerifyArgs":"Verify Arguments",
 "rest2fVerifyUrl":"Verify URL",
+"restExportSecretKeys":"Export secret attributes in REST",
 "restParams":"REST parameters",
 "restPwdConfirmUrl":"Password confirmation URL",
 "restPwdModifyUrl":"Password change URL",
@@ -1002,4 +1003,4 @@
 "samlRelayStateTimeout":"RelayState session timeout",
 "samlUseQueryStringSpecific":"Use specific query_string method",
 "samlOverrideIDPEntityID":"Override Entity ID when acting as IDP"
-}
+}

lemonldap-ng-manager/site/htdocs/static/languages/en.json

@@ -697,6 +697,7 @@
 "rest2fLogo":"Logo",
 "rest2fVerifyArgs":"Verify Arguments",
 "rest2fVerifyUrl":"Verify URL",
+"restExportSecretKeys":"Export secret attributes in REST",
 "restParams":"REST parameters",
 "restPwdConfirmUrl":"Password confirmation URL",
 "restPwdModifyUrl":"Password change URL",

lemonldap-ng-manager/site/htdocs/static/languages/fr.json

@@ -697,6 +697,7 @@
 "rest2fLogo":"Logo",
 "rest2fVerifyArgs":"Arguments de vérification",
 "rest2fVerifyUrl":"URL de vérification",
+"restExportSecretKeys":"Export secret attributes in REST",
 "restParams":"Paramètres REST",
 "restPwdConfirmUrl":"URL de confirmation de mot-de-passe",
 "restPwdModifyUrl":"URL de modification de mot-de-passe",

lemonldap-ng-manager/site/htdocs/static/languages/it.json

@@ -697,6 +697,7 @@
 "rest2fLogo":"Logo",
 "rest2fVerifyArgs":"Verifica Argomenti",
 "rest2fVerifyUrl":"Verifica UR",
+"restExportSecretKeys":"Export secret attributes in REST",
 "restParams":"Parametri REST",
 "restPwdConfirmUrl":"URL di conferma password",
 "restPwdModifyUrl":"URL di modifica password",
@@ -1002,4 +1003,4 @@
 "samlRelayStateTimeout":"Timeout di sessione di RelayState",
 "samlUseQueryStringSpecific":"Utilizza il metodo specifico query_string",
 "samlOverrideIDPEntityID":"Sostituisci l'ID entità quando agisce come IDP"
-}
+}

lemonldap-ng-manager/site/htdocs/static/languages/vi.json

@@ -697,6 +697,7 @@
 "rest2fLogo":"Logo",
 "rest2fVerifyArgs":"Verify Arguments",
 "rest2fVerifyUrl":"Verify URL",
+"restExportSecretKeys":"Export secret attributes in REST",
 "restParams":"Tham số REST",
 "restPwdConfirmUrl":"URL xác nhận mật khẩu",
 "restPwdModifyUrl":"URL thay đổi mật khẩu",
@@ -1002,4 +1003,4 @@
 "samlRelayStateTimeout":"Thời gian hết hạn phiên RelayState ",
 "samlUseQueryStringSpecific":"Sử dụng phương pháp query_string cụ thể",
 "samlOverrideIDPEntityID":"Override Entity ID when acting as IDP"
-}
+}

lemonldap-ng-manager/site/htdocs/static/languages/zh.json

@@ -697,6 +697,7 @@
 "rest2fLogo":"Logo",
 "rest2fVerifyArgs":"Verify Arguments",
 "rest2fVerifyUrl":"Verify URL",
+"restExportSecretKeys":"Export secret attributes in REST",
 "restParams":"REST parameters",
 "restPwdConfirmUrl":"Password confirmation URL",
 "restPwdModifyUrl":"Password change URL",
@@ -1002,4 +1003,4 @@
 "samlRelayStateTimeout":"RelayState session timeout",
 "samlUseQueryStringSpecific":"Use specific query_string method",
 "samlOverrideIDPEntityID":"Override Entity ID when acting as IDP"
-}
+}

lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Plugins/RESTServer.pm

@@ -134,7 +134,13 @@ sub init {
 
         # Methods inherited from Lemonldap::NG::Common::Session::REST
         $self->addUnauthRoute(
-            sessions => { ':sessionType' => 'rawSession' },
+            sessions => {
+                ':sessionType' => (
+                    $self->conf->{restExportSecretKeys}
+                    ? 'rawSession'
+                    : 'session'
+                )
+            },
             ['GET']
         );
         $self->addUnauthRoute(

lemonldap-ng-portal/site/cron/purgeCentralCache.cron.d

@@ -1,4 +1,4 @@
 #
 # Regular cron jobs for LemonLDAP::NG Portal
 #
-*/10 *	* * *	__APACHEUSER__	[ -x __BINDIR__/purgeCentralCache ] && __BINDIR__/purgeCentralCache
+7 *	* * *	__APACHEUSER__	[ -x __BINDIR__/purgeCentralCache ] && __BINDIR__/purgeCentralCache