Merge branch 'v2.0'
This commit is contained in:
commit
ee661fc61d
|
@ -24,7 +24,7 @@ use constant MANAGERSECTION => "manager";
|
|||
use constant SESSIONSEXPLORERSECTION => "sessionsExplorer";
|
||||
use constant APPLYSECTION => "apply";
|
||||
our $hashParameters = qr/^(?:(?:l(?:o(?:ca(?:lSessionStorageOption|tionRule)|goutService)|dapExportedVar|wp(?:Ssl)?Opt)|(?:(?:d(?:emo|bi)|facebook|webID)ExportedVa|exported(?:Heade|Va)|issuerDBGetParamete)r|re(?:moteGlobalStorageOption|st2f(?:Verify|Init)Arg|loadUrl)|g(?:r(?:antSessionRule|oup)|lobalStorageOption)|n(?:otificationStorageOption|ginxCustomHandler)|macro)s|o(?:idc(?:RPMetaData(?:(?:Option(?:sExtraClaim)?|ExportedVar)s|Node)|OPMetaData(?:(?:ExportedVar|Option)s|J(?:SON|WKS)|Node)|S(?:erviceMetaDataAuthnContext|torageOptions))|penIdExportedVars)|s(?:aml(?:S(?:PMetaData(?:(?:ExportedAttribute|Option)s|Node|XML)|torageOptions)|IDPMetaData(?:(?:ExportedAttribute|Option)s|Node|XML))|essionDataToRemember|laveExportedVars)|c(?:as(?:S(?:rvMetaData(?:(?:ExportedVar|Option)s|Node)|torageOptions)|A(?:ppMetaData(?:(?:ExportedVar|Option)s|Node)|ttributes))|(?:ustomAddParam|ombModule)s)|p(?:ersistentStorageOptions|o(?:rtalSkinRules|st))|a(?:ut(?:hChoiceMod|oSigninR)ules|pplicationList)|v(?:hostOptions|irtualHost)|S(?:MTPTLSOpts|SLVarIf))$/;
|
||||
our $boolKeys = qr/^(?:s(?:aml(?:IDP(?:MetaDataOptions(?:(?:Check(?:S[LS]OMessageSignatur|Audienc|Tim)|IsPassiv)e|A(?:llow(?:LoginFromIDP|ProxiedAuthn)|daptSessionUtime)|Force(?:Authn|UTF8)|StoreSAMLToken|RelayStateURL)|SSODescriptorWantAuthnRequestsSigned)|S(?:P(?:MetaDataOptions(?:(?:CheckS[LS]OMessageSignatur|OneTimeUs)e|EnableIDPInitiatedURL|ForceUTF8)|SSODescriptor(?:WantAssertion|AuthnRequest)sSigned)|erviceUseCertificateInResponse)|DiscoveryProtocol(?:Activation|IsPassive)|CommonDomainCookieActivation|UseQueryStringSpecific|MetadataForceUTF8)|ingle(?:Session(?:UserByIP)?|(?:UserBy)?IP)|oap(?:Session|Config)Server|t(?:ayConnecte|orePasswor)d|kipRenewConfirmation|howLanguages|slByAjax)|o(?:idc(?:ServiceAllow(?:(?:AuthorizationCode|Implicit|Hybrid)Flow|DynamicRegistration)|RPMetaDataOptions(?:LogoutSessionRequired|BypassConsent|RequirePKCE|Public)|OPMetaDataOptions(?:(?:CheckJWTSignatur|UseNonc)e|StoreIDToken))|ldNotifFormat)|p(?:ortal(?:ErrorOn(?:ExpiredSession|MailNotFound)|DisplayRe(?:setPassword|gister)|(?:CheckLogin|Statu)s|OpenLinkInNewWindow|RequireOldPassword|ForceAuthn|AntiFrame)|roxyUseSoap)|l(?:dap(?:(?:Group(?:DecodeSearchedValu|Recursiv)|UsePasswordResetAttribut)e|(?:AllowResetExpired|Set)Password|ChangePasswordAsUser|PpolicyControl)|oginHistoryEnabled)|c(?:a(?:ptcha_(?:register|login|mail)_enabled|sSrvMetaDataOptions(?:Gateway|Renew))|heck(?:User(?:Display(?:PersistentInfo|EmptyValues))?|State|XSS)|da)|i(?:ssuerDB(?:OpenID(?:Connect)?|SAML|CAS|Get)Activation|mpersonation(?:SkipEmptyValue|MergeSSOgroup)s)|to(?:tp2f(?:UserCan(?:Chang|Remov)eKey|DisplayExistingSecret)|kenUseGlobalStorage)|u(?:se(?:RedirectOn(?:Forbidden|Error)|SafeJail)|2fUserCanRemoveKey|pgradeSession)|no(?:tif(?:ication(?:Server)?|y(?:Deleted|Other))|AjaxHook)|(?:mai(?:lOnPasswordChang|ntenanc)|vhostMaintenanc)e|(?:(?:rest(?:Session|Config)|wsdl)Serv|activeTim)er|h(?:ideOldPassword|ttpOnly)|yubikey2fUserCanRemoveKey|krb(?:RemoveDomain|ByJs)|dbiDynamicHashEnabled|bruteForceProtection)$/;
|
||||
our $boolKeys = qr/^(?:s(?:aml(?:IDP(?:MetaDataOptions(?:(?:Check(?:S[LS]OMessageSignatur|Audienc|Tim)|IsPassiv)e|A(?:llow(?:LoginFromIDP|ProxiedAuthn)|daptSessionUtime)|Force(?:Authn|UTF8)|StoreSAMLToken|RelayStateURL)|SSODescriptorWantAuthnRequestsSigned)|S(?:P(?:MetaDataOptions(?:(?:CheckS[LS]OMessageSignatur|OneTimeUs)e|EnableIDPInitiatedURL|ForceUTF8)|SSODescriptor(?:WantAssertion|AuthnRequest)sSigned)|erviceUseCertificateInResponse)|DiscoveryProtocol(?:Activation|IsPassive)|CommonDomainCookieActivation|UseQueryStringSpecific|MetadataForceUTF8)|ingle(?:Session(?:UserByIP)?|(?:UserBy)?IP)|oap(?:Session|Config)Server|t(?:ayConnecte|orePasswor)d|kipRenewConfirmation|howLanguages|slByAjax)|o(?:idc(?:ServiceAllow(?:(?:AuthorizationCode|Implicit|Hybrid)Flow|DynamicRegistration)|RPMetaDataOptions(?:LogoutSessionRequired|BypassConsent|RequirePKCE|Public)|OPMetaDataOptions(?:(?:CheckJWTSignatur|UseNonc)e|StoreIDToken))|ldNotifFormat)|p(?:ortal(?:ErrorOn(?:ExpiredSession|MailNotFound)|DisplayRe(?:setPassword|gister)|(?:CheckLogin|Statu)s|OpenLinkInNewWindow|RequireOldPassword|ForceAuthn|AntiFrame)|roxyUseSoap)|l(?:dap(?:(?:Group(?:DecodeSearchedValu|Recursiv)|UsePasswordResetAttribut)e|(?:AllowResetExpired|Set)Password|ChangePasswordAsUser|PpolicyControl)|oginHistoryEnabled)|c(?:a(?:ptcha_(?:register|login|mail)_enabled|sSrvMetaDataOptions(?:Gateway|Renew))|heck(?:User(?:Display(?:PersistentInfo|EmptyValues))?|State|XSS)|orsEnabled|da)|i(?:ssuerDB(?:OpenID(?:Connect)?|SAML|CAS|Get)Activation|mpersonation(?:SkipEmptyValue|MergeSSOgroup)s)|to(?:tp2f(?:UserCan(?:Chang|Remov)eKey|DisplayExistingSecret)|kenUseGlobalStorage)|u(?:se(?:RedirectOn(?:Forbidden|Error)|SafeJail)|2fUserCanRemoveKey|pgradeSession)|no(?:tif(?:ication(?:Server)?|y(?:Deleted|Other))|AjaxHook)|(?:mai(?:lOnPasswordChang|ntenanc)|vhostMaintenanc)e|(?:(?:rest(?:Session|Config)|wsdl)Serv|activeTim)er|h(?:ideOldPassword|ttpOnly)|yubikey2fUserCanRemoveKey|krb(?:RemoveDomain|ByJs)|dbiDynamicHashEnabled|bruteForceProtection)$/;
|
||||
|
||||
our @sessionTypes = ( 'remoteGlobal', 'global', 'localSession', 'persistent', 'saml', 'oidc', 'cas' );
|
||||
|
||||
|
|
|
@ -33,6 +33,13 @@ sub defaultValues {
|
|||
'checkXSS' => 1,
|
||||
'confirmFormMethod' => 'post',
|
||||
'cookieName' => 'lemonldap',
|
||||
'corsAllow_Credentials' => 'true',
|
||||
'corsAllow_Headers' => '*',
|
||||
'corsAllow_Methods' => 'POST,GET',
|
||||
'corsAllow_Origin' => '*',
|
||||
'corsEnabled' => 1,
|
||||
'corsExpose_Headers' => '*',
|
||||
'corsMax_Age' => '86400',
|
||||
'cspConnect' => '\'self\'',
|
||||
'cspDefault' => '\'self\'',
|
||||
'cspFont' => '\'self\'',
|
||||
|
|
|
@ -943,6 +943,34 @@ qr/(?:(?:https?):\/\/(?:(?:(?:(?:(?:(?:[a-zA-Z0-9][-a-zA-Z0-9]*)?[a-zA-Z0-9])[.]
|
|||
'test' => qr/^[a-zA-Z][a-zA-Z0-9_-]*$/,
|
||||
'type' => 'text'
|
||||
},
|
||||
'corsAllow_Credentials' => {
|
||||
'default' => 'true',
|
||||
'type' => 'text'
|
||||
},
|
||||
'corsAllow_Headers' => {
|
||||
'default' => '*',
|
||||
'type' => 'text'
|
||||
},
|
||||
'corsAllow_Methods' => {
|
||||
'default' => 'POST,GET',
|
||||
'type' => 'text'
|
||||
},
|
||||
'corsAllow_Origin' => {
|
||||
'default' => '*',
|
||||
'type' => 'text'
|
||||
},
|
||||
'corsEnabled' => {
|
||||
'default' => 1,
|
||||
'type' => 'bool'
|
||||
},
|
||||
'corsExpose_Headers' => {
|
||||
'default' => '*',
|
||||
'type' => 'text'
|
||||
},
|
||||
'corsMax_Age' => {
|
||||
'default' => '86400',
|
||||
'type' => 'text'
|
||||
},
|
||||
'cspConnect' => {
|
||||
'default' => '\'self\'',
|
||||
'type' => 'text'
|
||||
|
|
|
@ -717,6 +717,47 @@ sub attributes {
|
|||
type => 'password',
|
||||
documentation => 'Secret key',
|
||||
},
|
||||
corsEnabled => {
|
||||
default => 1,
|
||||
type => 'bool',
|
||||
documentation => 'Enable Cross-Origin Resource Sharing',
|
||||
},
|
||||
corsAllow_Credentials => {
|
||||
type => 'text',
|
||||
default => 'true',
|
||||
documentation =>
|
||||
'Allow credentials for Cross-Origin Resource Sharing',
|
||||
},
|
||||
corsAllow_Headers => {
|
||||
type => 'text',
|
||||
default => '*',
|
||||
documentation =>
|
||||
'Allowed headers for Cross-Origin Resource Sharing',
|
||||
},
|
||||
corsAllow_Methods => {
|
||||
type => 'text',
|
||||
default => 'POST,GET',
|
||||
documentation =>
|
||||
'Allowed methods for Cross-Origin Resource Sharing',
|
||||
},
|
||||
corsAllow_Origin => {
|
||||
type => 'text',
|
||||
default => '*',
|
||||
documentation =>
|
||||
'Allowed origine for Cross-Origin Resource Sharing',
|
||||
},
|
||||
corsExpose_Headers => {
|
||||
type => 'text',
|
||||
default => '*',
|
||||
documentation =>
|
||||
'Exposed headers for Cross-Origin Resource Sharing',
|
||||
},
|
||||
corsMax_Age => {
|
||||
type => 'text',
|
||||
default => '86400', # 24 hours
|
||||
documentation =>
|
||||
'MAx-age for Cross-Origin Resource Sharing',
|
||||
},
|
||||
cspDefault => {
|
||||
type => 'text',
|
||||
default => "'self'",
|
||||
|
|
|
@ -817,6 +817,17 @@ sub tree {
|
|||
'cspConnect',
|
||||
]
|
||||
},
|
||||
{
|
||||
title => 'crossOrigineResourceSharing',
|
||||
help => 'security.html#portal',
|
||||
form => 'simpleInputContainer',
|
||||
nodes => [
|
||||
'corsEnabled', 'corsAllow_Credentials',
|
||||
'corsAllow_Headers', 'corsAllow_Methods',
|
||||
'corsAllow_Origin', 'corsExpose_Headers',
|
||||
'corsMax_Age',
|
||||
]
|
||||
},
|
||||
]
|
||||
},
|
||||
{
|
||||
|
|
|
@ -9,8 +9,10 @@ max = 25
|
|||
# of opened nodes in the tree
|
||||
schemes =
|
||||
_whatToTrace: [
|
||||
# First level: display 1 letter
|
||||
(t,v) ->
|
||||
"groupBy=substr(#{t},1)"
|
||||
# Second level (if no overScheme), display usernames
|
||||
(t,v) ->
|
||||
"#{t}=#{v}*&groupBy=#{t}"
|
||||
(t,v) ->
|
||||
|
@ -59,12 +61,18 @@ schemes =
|
|||
q.replace(/\&groupBy.*$/, '') + "&ipAddr=#{v}"
|
||||
]
|
||||
|
||||
# When number of children nodes exceeds "max" value and if "overScheme.<type>"
|
||||
# is available and does not return "null", a level is added. See
|
||||
# "$scope.updateTree" method
|
||||
overScheme =
|
||||
_whatToTrace: (t,v,level,over) ->
|
||||
if level == 1 and v.length < max
|
||||
# "v.length > over" avoids a loop if one user opened more than "max"
|
||||
# sessions
|
||||
if level == 1 and v.length > over
|
||||
"#{t}=#{v}*&groupBy=substr(#{t},#{(level+over+1)})"
|
||||
else
|
||||
null
|
||||
# Note: IPv4 only
|
||||
ipAddr: (t,v,level,over) ->
|
||||
if level > 0 and level < 4
|
||||
"#{t}=#{v}*&groupBy=net(#{t},#{16*level+4*(over+1)},2)"
|
||||
|
|
|
@ -1,4 +1,4 @@
|
|||
// Generated by CoffeeScript 1.12.7
|
||||
// Generated by CoffeeScript 1.12.8
|
||||
|
||||
/*
|
||||
* Sessions explorer
|
||||
|
@ -74,7 +74,7 @@
|
|||
|
||||
overScheme = {
|
||||
_whatToTrace: function(t, v, level, over) {
|
||||
if (level === 1 && v.length < max) {
|
||||
if (level === 1 && v.length > over) {
|
||||
return t + "=" + v + "*&groupBy=substr(" + t + "," + (level + over + 1) + ")";
|
||||
} else {
|
||||
return null;
|
||||
|
|
File diff suppressed because one or more lines are too long
|
@ -147,6 +147,14 @@
|
|||
"cspStyle":"مصدر الأسلوب ",
|
||||
"cspConnect":"وجهات أجاكس",
|
||||
"cspFont":" مصدر نوع الخط",
|
||||
"crossOrigineResourceSharing":"Cross-Origin Resource Sharing",
|
||||
"corsEnabled":"Activation",
|
||||
"corsAllow_Credentials":"Access-Control-Allow-Credentials",
|
||||
"corsAllow_Headers":"Access-Control-Allow-Headers",
|
||||
"corsAllow_Methods":"Access-Control-Allow-Methods",
|
||||
"corsAllow_Origin":"Access-Control-Allow-Origin",
|
||||
"corsExpose_Headers":"Access-Control-Expose-Headers",
|
||||
"corsMax_Age":"Access-Control-Max-Age",
|
||||
"cfgLog":"استئنف",
|
||||
"cfgVersion":"عملية ضبط الإصدارات",
|
||||
"checkXSS":"تحقق من هجمات XSS",
|
||||
|
|
|
@ -147,6 +147,14 @@
|
|||
"cspStyle":"Style source",
|
||||
"cspConnect":"Ajax destinations",
|
||||
"cspFont":"Font source",
|
||||
"crossOrigineResourceSharing":"Cross-Origin Resource Sharing",
|
||||
"corsEnabled":"Activation",
|
||||
"corsAllow_Credentials":"Access-Control-Allow-Credentials",
|
||||
"corsAllow_Headers":"Access-Control-Allow-Headers",
|
||||
"corsAllow_Methods":"Access-Control-Allow-Methods",
|
||||
"corsAllow_Origin":"Access-Control-Allow-Origin",
|
||||
"corsExpose_Headers":"Access-Control-Expose-Headers",
|
||||
"corsMax_Age":"Access-Control-Max-Age",
|
||||
"cfgLog":"Resume",
|
||||
"cfgVersion":"Configuration version",
|
||||
"checkXSS":"Check XSS attacks",
|
||||
|
|
|
@ -147,6 +147,14 @@
|
|||
"cspStyle":"Style source",
|
||||
"cspConnect":"Ajax destinations",
|
||||
"cspFont":"Font source",
|
||||
"crossOrigineResourceSharing":"Cross-Origin Resource Sharing",
|
||||
"corsEnabled":"Activation",
|
||||
"corsAllow_Credentials":"Access-Control-Allow-Credentials",
|
||||
"corsAllow_Headers":"Access-Control-Allow-Headers",
|
||||
"corsAllow_Methods":"Access-Control-Allow-Methods",
|
||||
"corsAllow_Origin":"Access-Control-Allow-Origin",
|
||||
"corsExpose_Headers":"Access-Control-Expose-Headers",
|
||||
"corsMax_Age":"Access-Control-Max-Age",
|
||||
"cfgLog":"Resume",
|
||||
"cfgVersion":"Configuration version",
|
||||
"checkXSS":"Check XSS attacks",
|
||||
|
|
|
@ -147,6 +147,14 @@
|
|||
"cspStyle":"Sources des styles",
|
||||
"cspConnect":"Destinations des requêtes AJAX",
|
||||
"cspFont":"Sources des polices",
|
||||
"crossOrigineResourceSharing":"Partage des ressources entre origines multiples",
|
||||
"corsEnabled":"Activation",
|
||||
"corsAllow_Credentials":"Informations d'authentification autorisées",
|
||||
"corsAllow_Headers":"Entêtes autorisés",
|
||||
"corsAllow_Methods":"Méthodes autorisées",
|
||||
"corsAllow_Origin":"Origine autorisée",
|
||||
"corsExpose_Headers":"Entêtes en liste blanche",
|
||||
"corsMax_Age":"Durée de mise en cache de la requête préliminaire",
|
||||
"cfgLog":"Résumé",
|
||||
"cfgVersion":"Version de la configuration",
|
||||
"checkXSS":"Contrôler les attaques XSS",
|
||||
|
|
|
@ -147,6 +147,14 @@
|
|||
"cspStyle":"Origine di stile",
|
||||
"cspConnect":"Destinazioni Ajax",
|
||||
"cspFont":"Origine carattere",
|
||||
"crossOrigineResourceSharing":"Cross-Origin Resource Sharing",
|
||||
"corsEnabled":"Activation",
|
||||
"corsAllow_Credentials":"Access-Control-Allow-Credentials",
|
||||
"corsAllow_Headers":"Access-Control-Allow-Headers",
|
||||
"corsAllow_Methods":"Access-Control-Allow-Methods",
|
||||
"corsAllow_Origin":"Access-Control-Allow-Origin",
|
||||
"corsExpose_Headers":"Access-Control-Expose-Headers",
|
||||
"corsMax_Age":"Access-Control-Max-Age",
|
||||
"cfgLog":"Riprendi",
|
||||
"cfgVersion":"Versione configurazione",
|
||||
"checkXSS":"Verifica attacchi XSS",
|
||||
|
|
|
@ -148,6 +148,14 @@
|
|||
"cspStyle":"Nguồn phong cách",
|
||||
"cspConnect":"Đích cúa Ajax",
|
||||
"cspFont":"Nguồn phông chữ",
|
||||
"crossOrigineResourceSharing":"Cross-Origin Resource Sharing",
|
||||
"corsEnabled":"Activation",
|
||||
"corsAllow_Credentials":"Access-Control-Allow-Credentials",
|
||||
"corsAllow_Headers":"Access-Control-Allow-Headers",
|
||||
"corsAllow_Methods":"Access-Control-Allow-Methods",
|
||||
"corsAllow_Origin":"Access-Control-Allow-Origin",
|
||||
"corsExpose_Headers":"Access-Control-Expose-Headers",
|
||||
"corsMax_Age":"Access-Control-Max-Age",
|
||||
"cfgLog":"Tiếp tục",
|
||||
"cfgVersion":"Phiên bản cấu hình",
|
||||
"checkXSS":"Kiểm tra tấn công XSS",
|
||||
|
|
|
@ -147,6 +147,14 @@
|
|||
"cspStyle":"Style source",
|
||||
"cspConnect":"Ajax destinations",
|
||||
"cspFont":"字体源",
|
||||
"crossOrigineResourceSharing":"Cross-Origin Resource Sharing",
|
||||
"corsEnabled":"Activation",
|
||||
"corsAllow_Credentials":"Access-Control-Allow-Credentials",
|
||||
"corsAllow_Headers":"Access-Control-Allow-Headers",
|
||||
"corsAllow_Methods":"Access-Control-Allow-Methods",
|
||||
"corsAllow_Origin":"Access-Control-Allow-Origin",
|
||||
"corsExpose_Headers":"Access-Control-Expose-Headers",
|
||||
"corsMax_Age":"Access-Control-Max-Age",
|
||||
"cfgLog":"档案",
|
||||
"cfgVersion":"配置信息",
|
||||
"checkXSS":"Check XSS attacks",
|
||||
|
|
File diff suppressed because one or more lines are too long
File diff suppressed because one or more lines are too long
|
@ -413,6 +413,7 @@ site/templates/common/oidc_checksession.tpl
|
|||
site/templates/common/registerBrowser.tpl
|
||||
site/templates/common/script.tpl
|
||||
t/01-AuthDemo.t
|
||||
t/01-CSP-and-CORS-headers.t
|
||||
t/01-pdata.t
|
||||
t/02-Password-Demo.t
|
||||
t/03-XSS-protection.t
|
||||
|
@ -431,7 +432,9 @@ t/25-AuthSlave.t
|
|||
t/26-AuthRemote.t
|
||||
t/27-AuthProxy.t
|
||||
t/28-AuthChoice-and-password.t
|
||||
t/28-AuthChoice-with-captcha.t
|
||||
t/28-AuthChoice-with-rules.t
|
||||
t/28-AuthChoice-with-token.t
|
||||
t/29-AuthGPG.t
|
||||
t/29-AuthSSL.t
|
||||
t/30-Auth-and-issuer-SAML-Artifact-with-SOAP-SLO-IdP-initiated.t
|
||||
|
@ -532,10 +535,13 @@ t/66-CDA-with-REST.t
|
|||
t/66-CDA-with-SOAP.t
|
||||
t/66-CDA.t
|
||||
t/67-CheckUser-with-Global-token.t
|
||||
t/67-CheckUser-with-issuer-SAML-POST.t
|
||||
t/67-CheckUser-with-token.t
|
||||
t/67-CheckUser.t
|
||||
t/68-Impersonation-with-doubleCookies.t
|
||||
t/68-Impersonation-with-History.t
|
||||
t/68-Impersonation-with-merge.t
|
||||
t/68-Impersonation-with-TOTP.t
|
||||
t/68-Impersonation.t
|
||||
t/69-FavApps.t
|
||||
t/70-2F-TOTP-with-History.t
|
||||
|
@ -543,7 +549,7 @@ t/70-2F-TOTP.t
|
|||
t/70-2F-TOTP_8.t
|
||||
t/71-2F-U2F-with-History.t
|
||||
t/71-2F-U2F.t
|
||||
t/72-2F-REST-with-HISTORY.t
|
||||
t/72-2F-REST-with-History.t
|
||||
t/73-2F-UTOTP-TOTP-and-U2F-with-History.t
|
||||
t/73-2F-UTOTP-TOTP-and-U2F.t
|
||||
t/73-2F-UTOTP-TOTP-only-with-History.t
|
||||
|
|
|
@ -139,6 +139,7 @@ sub run {
|
|||
my ( $self, $req ) = @_;
|
||||
|
||||
my $checkLogins = $req->param('checkLogins');
|
||||
my $spoofId = $req->param('spoofId') || '';
|
||||
$self->logger->debug("2F checkLogins set") if ($checkLogins);
|
||||
|
||||
# Skip 2F unless a module has been registered
|
||||
|
@ -186,6 +187,8 @@ sub run {
|
|||
$req->sessionInfo->{_2fRealSession} = $req->id;
|
||||
$req->sessionInfo->{_2fUrldc} = $req->urldc;
|
||||
$req->sessionInfo->{_2fUtime} = $req->{sessionInfo}->{_utime};
|
||||
$req->sessionInfo->{_impSpoofId} = $spoofId;
|
||||
$req->sessionInfo->{_impUser} = $req->user;
|
||||
my $token = $self->ott->createToken( $req->sessionInfo );
|
||||
delete $req->{authResult};
|
||||
|
||||
|
|
|
@ -26,18 +26,13 @@ sub extractFormInfo {
|
|||
my ( $self, $req ) = @_;
|
||||
unless ( $self->checkChoice($req) ) {
|
||||
$self->logger->debug("Initializing Auth modules...");
|
||||
|
||||
foreach my $mod ( values %{ $self->modules } ) {
|
||||
if ( $mod->can('setSecurity') ) {
|
||||
$mod->setSecurity($req);
|
||||
last;
|
||||
}
|
||||
}
|
||||
$self->setSecurity($req);
|
||||
$self->logger->debug(
|
||||
"Send init/script -> " . $req->data->{customScript} )
|
||||
if $req->data->{customScript};
|
||||
return PE_FIRSTACCESS;
|
||||
}
|
||||
|
||||
my $res = $req->data->{enabledMods0}->[0]->extractFormInfo($req);
|
||||
delete $req->pdata->{_choice} if ( $res > 0 );
|
||||
return $res;
|
||||
|
@ -65,4 +60,14 @@ sub authLogout {
|
|||
return $res;
|
||||
}
|
||||
|
||||
sub setSecurity {
|
||||
my ( $self, $req ) = @_;
|
||||
foreach my $mod ( values %{ $self->modules } ) {
|
||||
if ( $mod->can('setSecurity') ) {
|
||||
$mod->setSecurity($req);
|
||||
last;
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
1;
|
||||
|
|
|
@ -80,9 +80,12 @@ has spRules => (
|
|||
# Custom template parameters
|
||||
has customParameters => ( is => 'rw', default => sub { {} } );
|
||||
|
||||
# Content-Security-Policy header
|
||||
# Content-Security-Policy headers
|
||||
has csp => ( is => 'rw' );
|
||||
|
||||
# Cross-Origine Resource Sharing headers
|
||||
has cors => ( is => 'rw' );
|
||||
|
||||
# INITIALIZATION
|
||||
|
||||
sub init {
|
||||
|
@ -179,13 +182,29 @@ sub reloadConf {
|
|||
$self->{conf}->{$key} ||= $conf->{$key};
|
||||
}
|
||||
|
||||
# Initialize content-security-policy header
|
||||
# Initialize content-security-policy headers
|
||||
my $csp = '';
|
||||
foreach (qw(default img src style font connect script)) {
|
||||
my $prm = $self->conf->{ 'csp' . ucfirst($_) };
|
||||
$csp .= "$_-src $prm;" if ($prm);
|
||||
}
|
||||
$self->csp($csp);
|
||||
$self->logger->debug( "Initialized CSP headers : " . $self->csp );
|
||||
|
||||
# Initialize Cross-Origin Resource Sharing headers
|
||||
my $cors = '';
|
||||
foreach (
|
||||
qw(Allow_Origin Allow_Credentials Allow_Headers Allow_Methods Expose_Headers Max_Age)
|
||||
)
|
||||
{
|
||||
my $header = $_;
|
||||
my $prm = $self->conf->{ 'cors' . $_ };
|
||||
$header =~ s/_/-/;
|
||||
$prm =~ s/\s+//;
|
||||
$cors .= "Access-Control-$header;$prm;";
|
||||
}
|
||||
$self->cors($cors);
|
||||
$self->logger->debug( "Initialized CORS headers : " . $self->cors );
|
||||
|
||||
# Initialize templateDir
|
||||
$self->{templateDir} =
|
||||
|
|
|
@ -790,6 +790,9 @@ sub sendHtml {
|
|||
'Pragma' => 'no-cache', # HTTP 1.0
|
||||
'Expires' => '0'; # Proxies
|
||||
|
||||
my @cors = split /;/, $self->cors;
|
||||
push @{ $res->[1] }, @cors if $self->conf->{corsEnabled};
|
||||
|
||||
# Set authorized URL for POST
|
||||
my $csp = $self->csp . "form-action " . $self->conf->{cspFormAction};
|
||||
if ( my $url = $req->urldc ) {
|
||||
|
|
|
@ -37,17 +37,16 @@ sub init {
|
|||
$self->rule($rule);
|
||||
|
||||
# Parse identity rule
|
||||
$self->logger->debug( "Impersonation identities rule -> "
|
||||
$self->logger->debug( "Impersonation identity rule -> "
|
||||
. $self->conf->{impersonationIdRule} );
|
||||
$rule =
|
||||
$hd->buildSub( $hd->substitute( $self->conf->{impersonationIdRule} ) );
|
||||
unless ($rule) {
|
||||
$self->error(
|
||||
"Bad impersonation identities rule -> " . $hd->tsv->{jail}->error );
|
||||
"Bad impersonation identity rule -> " . $hd->tsv->{jail}->error );
|
||||
return 0;
|
||||
}
|
||||
$self->idRule($rule);
|
||||
|
||||
return 1;
|
||||
}
|
||||
|
||||
|
@ -55,10 +54,19 @@ sub init {
|
|||
|
||||
sub run {
|
||||
my ( $self, $req ) = @_;
|
||||
my $spoofId = $req->param('spoofId') || $req->{user};
|
||||
|
||||
return $req->authResult if $req->authResult > PE_OK; # Skip Impersonation if error during Auth process
|
||||
|
||||
my $statut = PE_OK;
|
||||
my $loginHistory =
|
||||
$req->{sessionInfo}->{_loginHistory}; # Store login history
|
||||
$req->{user} ||= $req->{sessionInfo}->{_impUser}; # If 2FA is enabled
|
||||
my $spoofId = $req->param('spoofId') # Impersonation required
|
||||
|| $req->{sessionInfo}->{_impSpoofId} # If 2FA is enabled
|
||||
|| $req->{user}; # NO Impersonation required
|
||||
|
||||
$self->logger->debug("No impersonation required")
|
||||
if ( $spoofId eq $req->{user} );
|
||||
my $statut = PE_OK;
|
||||
|
||||
if ( $spoofId !~ /$self->{conf}->{userControl}/o ) {
|
||||
$self->userLogger->error('Malformed spoofed Id');
|
||||
|
@ -69,7 +77,7 @@ sub run {
|
|||
|
||||
# Check activation rule
|
||||
if ( $spoofId ne $req->{user} ) {
|
||||
$self->logger->debug("Spoofied Id: $spoofId / Real Id: $req->{user}");
|
||||
$self->logger->debug("Spoof Id: $spoofId / Real Id: $req->{user}");
|
||||
unless ( $self->rule->( $req, $req->sessionInfo ) ) {
|
||||
$self->userLogger->error('Impersonation service not authorized');
|
||||
$spoofId = $req->{user};
|
||||
|
@ -86,7 +94,9 @@ sub run {
|
|||
next unless defined $req->{sessionInfo}->{$k};
|
||||
}
|
||||
$spk = "$self->{conf}->{impersonationPrefix}$k";
|
||||
unless ( $self->hAttr =~ /\b$k\b/ ) {
|
||||
unless ( $self->hAttr =~ /\b$k\b/
|
||||
|| $k =~ /^(?:_imp|token|_type)\w*\b/ )
|
||||
{
|
||||
$realSession->{$spk} = $req->{sessionInfo}->{$k};
|
||||
$self->logger->debug("-> Store $k in realSession key: $spk");
|
||||
}
|
||||
|
@ -94,7 +104,7 @@ sub run {
|
|||
delete $req->{sessionInfo}->{$k};
|
||||
}
|
||||
|
||||
$spoofSession = $self->_userDatas( $req, $spoofId, $realSession );
|
||||
$spoofSession = $self->_userData( $req, $spoofId, $realSession );
|
||||
if ( $req->error ) {
|
||||
if ( $req->error == PE_BADCREDENTIALS ) {
|
||||
$statut = PE_BADCREDENTIALS;
|
||||
|
@ -104,8 +114,8 @@ sub run {
|
|||
}
|
||||
}
|
||||
|
||||
# Update spoofed session
|
||||
$self->logger->debug("Populating spoofed session...");
|
||||
# Update spoof session
|
||||
$self->logger->debug("Populating spoof session...");
|
||||
foreach (qw (_auth _userDB)) {
|
||||
$self->logger->debug("Processing $_...");
|
||||
$spk = "$self->{conf}->{impersonationPrefix}$_";
|
||||
|
@ -138,9 +148,11 @@ sub run {
|
|||
|
||||
# Main session
|
||||
$self->p->updateSession( $req, $spoofSession );
|
||||
$req->{sessionInfo}->{_loginHistory} =
|
||||
$loginHistory; # Restore login history
|
||||
$req->steps( [ $self->p->validSession, @{ $self->p->endAuth } ] );
|
||||
|
||||
# Restore _httpSession for double Cookies
|
||||
# Restore _httpSession for Double Cookies
|
||||
if ( $self->conf->{securedCookie} >= 2 ) {
|
||||
$self->p->updateSession( $req, $spoofSession,
|
||||
$req->{sessionInfo}->{real__httpSession} );
|
||||
|
@ -150,13 +162,13 @@ sub run {
|
|||
return $statut;
|
||||
}
|
||||
|
||||
sub _userDatas {
|
||||
sub _userData {
|
||||
my ( $self, $req, $spoofId, $realSession ) = @_;
|
||||
my $realId = $req->{user};
|
||||
$req->{user} = $spoofId;
|
||||
my $raz = 0;
|
||||
|
||||
# Compute Macros and Groups with real and spoofed sessions
|
||||
# Compute Macros and Groups with real and spoof sessions
|
||||
$req->{sessionInfo} = {%$realSession};
|
||||
|
||||
# Search user in database
|
||||
|
@ -178,7 +190,7 @@ sub _userDatas {
|
|||
$raz = 1;
|
||||
}
|
||||
|
||||
# Check identity rule if impersonation required
|
||||
# Check identity rule if Impersonation required
|
||||
if ( $realId ne $spoofId ) {
|
||||
unless ( $self->idRule->( $req, $req->sessionInfo ) ) {
|
||||
$self->userLogger->warn(
|
||||
|
@ -190,7 +202,7 @@ sub _userDatas {
|
|||
}
|
||||
}
|
||||
|
||||
# Same real and spoofed session - Compute Macros and Groups
|
||||
# Same real and spoof session - Compute Macros and Groups
|
||||
if ($raz) {
|
||||
$req->{sessionInfo} = {};
|
||||
$req->{sessionInfo} = {%$realSession};
|
||||
|
@ -201,14 +213,13 @@ sub _userDatas {
|
|||
'setLocalGroups'
|
||||
]
|
||||
);
|
||||
$self->logger->debug('Spoofed session equal real session');
|
||||
$self->logger->debug('Spoof session equal real session');
|
||||
$req->error(PE_BADCREDENTIALS);
|
||||
if ( my $error = $self->p->process($req) ) {
|
||||
$self->logger->debug("Process returned error: $error");
|
||||
$req->error($error);
|
||||
}
|
||||
}
|
||||
|
||||
return $req->{sessionInfo};
|
||||
}
|
||||
|
||||
|
|
|
@ -0,0 +1,153 @@
|
|||
use Test::More;
|
||||
use strict;
|
||||
use IO::String;
|
||||
|
||||
require 't/test-lib.pm';
|
||||
|
||||
my $res;
|
||||
|
||||
my $client = LLNG::Manager::Test->new( {
|
||||
ini => {
|
||||
logLevel => 'error',
|
||||
useSafeJail => 1,
|
||||
'corsAllow_Origin' => '',
|
||||
'corsAllow_Methods' => 'POST',
|
||||
'cspFormAction' => '*'
|
||||
}
|
||||
}
|
||||
);
|
||||
|
||||
# Test normal first access
|
||||
# ------------------------
|
||||
ok( $res = $client->_get('/'), 'Unauth JSON request' );
|
||||
count(1);
|
||||
expectReject($res);
|
||||
|
||||
# Test "first access" with good url
|
||||
ok(
|
||||
$res =
|
||||
$client->_get( '/', query => 'url=aHR0cDovL3Rlc3QxLmV4YW1wbGUuY29tLw==' ),
|
||||
'Unauth ajax request with good url'
|
||||
);
|
||||
count(1);
|
||||
expectReject($res);
|
||||
|
||||
ok( $res = $client->_get( '/', accept => 'text/html' ), 'Get Menu' );
|
||||
ok( $res->[2]->[0] =~ m%<span id="languages"></span>%, ' Language icons found' )
|
||||
or print STDERR Dumper( $res->[2]->[0] );
|
||||
count(2);
|
||||
|
||||
# CORS
|
||||
ok( $res->[1]->[12] eq 'Access-Control-Allow-Origin', ' CORS origin found' )
|
||||
or print STDERR Dumper( $res->[1] );
|
||||
ok( $res->[1]->[13] eq '', " CORS origin ''" )
|
||||
or print STDERR Dumper( $res->[1] );
|
||||
ok( $res->[1]->[14] eq 'Access-Control-Allow-Credentials',
|
||||
' CORS credentials found' )
|
||||
or print STDERR Dumper( $res->[1] );
|
||||
ok( $res->[1]->[15] eq 'true', " CORS credentials 'true'" )
|
||||
or print STDERR Dumper( $res->[1] );
|
||||
ok( $res->[1]->[16] eq 'Access-Control-Allow-Headers', " CORS headers found" )
|
||||
or print STDERR Dumper( $res->[1] );
|
||||
ok( $res->[1]->[17] eq '*', " CORS headers '*'" )
|
||||
or print STDERR Dumper( $res->[1] );
|
||||
ok( $res->[1]->[18] eq 'Access-Control-Allow-Methods', " CORS methods found" )
|
||||
or print STDERR Dumper( $res->[1] );
|
||||
ok( $res->[1]->[19] eq 'POST', " CORS methods 'POST'" )
|
||||
or print STDERR Dumper( $res->[1] );
|
||||
ok( $res->[1]->[20] eq 'Access-Control-Expose-Headers',
|
||||
" CORS expose-headers found" )
|
||||
or print STDERR Dumper( $res->[1] );
|
||||
ok( $res->[1]->[21] eq '*', " CORS expose-headers '*'" )
|
||||
or print STDERR Dumper( $res->[1] );
|
||||
ok( $res->[1]->[22] eq 'Access-Control-Max-Age', ' CORS max-age found' )
|
||||
or print STDERR Dumper( $res->[1] );
|
||||
ok( $res->[1]->[23] == 86400, ' CORS max-age 86400' )
|
||||
or print STDERR Dumper( $res->[1] );
|
||||
count(12);
|
||||
|
||||
#CSP
|
||||
ok( $res->[1]->[26] eq 'Content-Security-Policy', ' CSP found' )
|
||||
or print STDERR Dumper( $res->[1] );
|
||||
ok(
|
||||
$res->[1]->[27] =~
|
||||
/default-src 'self';img-src 'self' data:;style-src 'self';font-src 'self';connect-src 'self';script-src 'self';form-action \*;frame-ancestors 'none'/,
|
||||
' CSP headers found'
|
||||
) or print STDERR Dumper( $res->[1] );
|
||||
count(2);
|
||||
|
||||
# Try to authenticate with good password
|
||||
# --------------------------------------
|
||||
ok(
|
||||
$res = $client->_post(
|
||||
'/',
|
||||
IO::String->new('user=dwho&password=dwho'),
|
||||
length => 23,
|
||||
),
|
||||
'Auth query'
|
||||
);
|
||||
count(1);
|
||||
expectOK($res);
|
||||
my $id = expectCookie($res);
|
||||
|
||||
# Try to get a redirection for an auth user with a valid url
|
||||
# ----------------------------------------------------------
|
||||
ok(
|
||||
$res = $client->_get(
|
||||
'/',
|
||||
query => 'url=aHR0cDovL3Rlc3QxLmV4YW1wbGUuY29tLw==',
|
||||
cookie => "lemonldap=$id",
|
||||
accept => 'text/html'
|
||||
),
|
||||
'Auth ajax request with good url'
|
||||
);
|
||||
count(1);
|
||||
expectRedirection( $res, 'http://test1.example.com/' );
|
||||
expectAuthenticatedAs( $res, 'dwho' );
|
||||
|
||||
ok(
|
||||
$res = $client->_get(
|
||||
'http://test1.example.com/',
|
||||
cookie => "lemonldap=$id",
|
||||
accept => 'text/html'
|
||||
),
|
||||
'Get test1'
|
||||
);
|
||||
count(1);
|
||||
|
||||
ok( $res->[1]->[14] eq 'Access-Control-Allow-Origin', ' CORS origin found' )
|
||||
or print STDERR Dumper( $res->[1] );
|
||||
ok( $res->[1]->[15] eq '', " CORS origin ''" )
|
||||
or print STDERR Dumper( $res->[1] );
|
||||
ok( $res->[1]->[16] eq 'Access-Control-Allow-Credentials',
|
||||
' CORS credentials found' )
|
||||
or print STDERR Dumper( $res->[1] );
|
||||
ok( $res->[1]->[17] eq 'true', " CORS credentials 'true'" )
|
||||
or print STDERR Dumper( $res->[1] );
|
||||
ok( $res->[1]->[18] eq 'Access-Control-Allow-Headers', " CORS headers found" )
|
||||
or print STDERR Dumper( $res->[1] );
|
||||
ok( $res->[1]->[19] eq '*', " CORS headers '*'" )
|
||||
or print STDERR Dumper( $res->[1] );
|
||||
ok( $res->[1]->[20] eq 'Access-Control-Allow-Methods', " CORS methods found" )
|
||||
or print STDERR Dumper( $res->[1] );
|
||||
ok( $res->[1]->[21] eq 'POST', " CORS methods 'POST'" )
|
||||
or print STDERR Dumper( $res->[1] );
|
||||
ok( $res->[1]->[22] eq 'Access-Control-Expose-Headers',
|
||||
" CORS expose-headers found" )
|
||||
or print STDERR Dumper( $res->[1] );
|
||||
ok( $res->[1]->[23] eq '*', " CORS expose-headers '*'" )
|
||||
or print STDERR Dumper( $res->[1] );
|
||||
ok( $res->[1]->[24] eq 'Access-Control-Max-Age', ' CORS max-age found' )
|
||||
or print STDERR Dumper( $res->[1] );
|
||||
ok( $res->[1]->[25] == 86400, ' CORS max-age 86400' )
|
||||
or print STDERR Dumper( $res->[1] );
|
||||
count(12);
|
||||
|
||||
# Test logout
|
||||
$client->logout($id);
|
||||
|
||||
#print STDERR Dumper($res);
|
||||
|
||||
clean_sessions();
|
||||
|
||||
done_testing( count() );
|
|
@ -58,7 +58,7 @@ SKIP: {
|
|||
)
|
||||
{
|
||||
|
||||
# Try yo authenticate
|
||||
# Try to authenticate
|
||||
# -------------------
|
||||
ok( $res = $client->_get( '/', accept => 'text/html' ), 'Get menu' );
|
||||
my @form = ( $res->[2]->[0] =~ m#<form.*?</form>#sg );
|
||||
|
|
|
@ -0,0 +1,107 @@
|
|||
use Test::More;
|
||||
use IO::String;
|
||||
use strict;
|
||||
|
||||
require 't/test-lib.pm';
|
||||
|
||||
my $res;
|
||||
my $maintests = 14;
|
||||
SKIP: {
|
||||
eval 'use GD::SecurityImage;use Image::Magick;';
|
||||
if ($@) {
|
||||
skip 'Image::Magick not found', $maintests;
|
||||
}
|
||||
my $client = LLNG::Manager::Test->new( {
|
||||
ini => {
|
||||
logLevel => 'error',
|
||||
useSafeJail => 1,
|
||||
authentication => 'Choice',
|
||||
userDB => 'Same',
|
||||
passwordDB => 'Choice',
|
||||
captcha_login_enabled => 1,
|
||||
authChoiceParam => 'test',
|
||||
authChoiceModules => {
|
||||
'1_demo' => 'Demo;Demo;Null',
|
||||
'2_ssl' => 'SSL;Demo;Null',
|
||||
},
|
||||
}
|
||||
}
|
||||
);
|
||||
|
||||
# Try to authenticate with an unknown user
|
||||
# -------------------
|
||||
ok( $res = $client->_get( '/', accept => 'text/html' ), 'Get menu' );
|
||||
my ( $host, $url, $query ) =
|
||||
expectForm( $res, '#', undef, 'user', 'password', 'token' );
|
||||
|
||||
$query =~ s/.*\btoken=([^&]+).*/token=$1/;
|
||||
my $token;
|
||||
ok( $token = $1, ' Token value is defined' );
|
||||
ok( $res->[2]->[0] =~ m#<img src="data:image/png;base64#,
|
||||
' Captcha image inserted' );
|
||||
|
||||
my @form = ( $res->[2]->[0] =~ m#<form.*?</form>#sg );
|
||||
pop @form;
|
||||
shift @form;
|
||||
ok( @form == 2, 'Display 2 choices' );
|
||||
foreach (@form) {
|
||||
expectForm( [ $res->[0], $res->[1], [$_] ], undef, undef, 'test' );
|
||||
}
|
||||
|
||||
# Try to get captcha value
|
||||
my ( $ts, $captcha );
|
||||
ok( $ts = getCache()->get($token), ' Found token session' );
|
||||
$ts = eval { JSON::from_json($ts) };
|
||||
ok( $captcha = $ts->{captcha}, ' Found captcha value' );
|
||||
$query .= "&user=dalek&password=dwho&captcha=$captcha&test=1_demo";
|
||||
|
||||
ok(
|
||||
$res = $client->_post(
|
||||
'/', IO::String->new($query),
|
||||
length => length($query),
|
||||
accept => 'text/html',
|
||||
),
|
||||
'Auth query with an unknown user'
|
||||
);
|
||||
( $host, $url, $query ) =
|
||||
expectForm( $res, '#', undef, 'user', 'password', 'token' );
|
||||
|
||||
ok( $res->[2]->[0] =~ /<span trmsg="5"><\/span><\/div>/,
|
||||
'dalek rejected with PE_BADCREDENTIALS' )
|
||||
or print STDERR Dumper( $res->[2]->[0] );
|
||||
|
||||
# Try to authenticate
|
||||
# -------------------
|
||||
$query =~ s/.*\btoken=([^&]+).*/token=$1/;
|
||||
ok( $token = $1, ' Token value is defined' );
|
||||
ok( $res->[2]->[0] =~ m#<img src="data:image/png;base64#,
|
||||
' Captcha image inserted' );
|
||||
|
||||
@form = ( $res->[2]->[0] =~ m#<form.*?</form>#sg );
|
||||
pop @form;
|
||||
shift @form;
|
||||
ok( @form == 2, 'Display 2 choices' );
|
||||
foreach (@form) {
|
||||
expectForm( [ $res->[0], $res->[1], [$_] ], undef, undef, 'test' );
|
||||
}
|
||||
|
||||
# Try to get captcha value
|
||||
ok( $ts = getCache()->get($token), ' Found token session' );
|
||||
$ts = eval { JSON::from_json($ts) };
|
||||
ok( $captcha = $ts->{captcha}, ' Found captcha value' );
|
||||
$query .= "&user=dwho&password=dwho&captcha=$captcha&test=1_demo";
|
||||
|
||||
ok(
|
||||
$res = $client->_post(
|
||||
'/', IO::String->new($query),
|
||||
length => length($query),
|
||||
accept => 'text/html',
|
||||
),
|
||||
'Auth query'
|
||||
);
|
||||
my $id = expectCookie($res);
|
||||
$client->logout($id);
|
||||
}
|
||||
count($maintests);
|
||||
clean_sessions();
|
||||
done_testing( count() );
|
|
@ -120,7 +120,7 @@ m%<form id="lformKerberos" action="#" method="post" class="login Kerberos">%,
|
|||
# Test SQL
|
||||
my $postString = 'user=dwho&password=dwho&test=2_sql';
|
||||
|
||||
# Try yo authenticate
|
||||
# Try to authenticate
|
||||
# -------------------
|
||||
ok(
|
||||
$res = $client->_post(
|
||||
|
|
|
@ -0,0 +1,86 @@
|
|||
use Test::More;
|
||||
use IO::String;
|
||||
use strict;
|
||||
|
||||
require 't/test-lib.pm';
|
||||
|
||||
my $res;
|
||||
my $maintests = 6;
|
||||
|
||||
my $client = LLNG::Manager::Test->new( {
|
||||
ini => {
|
||||
logLevel => 'error',
|
||||
useSafeJail => 1,
|
||||
authentication => 'Choice',
|
||||
userDB => 'Same',
|
||||
passwordDB => 'Choice',
|
||||
requireToken => 1,
|
||||
authChoiceParam => 'test',
|
||||
authChoiceModules => {
|
||||
'1_demo' => 'Demo;Demo;Null',
|
||||
'2_ssl' => 'SSL;Demo;Null',
|
||||
},
|
||||
}
|
||||
}
|
||||
);
|
||||
|
||||
# Try to authenticate with an unknown user
|
||||
# -------------------
|
||||
ok( $res = $client->_get( '/', accept => 'text/html' ), 'Get menu' );
|
||||
my ( $host, $url, $query ) =
|
||||
expectForm( $res, '#', undef, 'user', 'password', 'token' );
|
||||
my @form = ( $res->[2]->[0] =~ m#<form.*?</form>#sg );
|
||||
pop @form;
|
||||
shift @form;
|
||||
ok( @form == 2, 'Display 2 choices' );
|
||||
foreach (@form) {
|
||||
expectForm( [ $res->[0], $res->[1], [$_] ], undef, undef, 'test' );
|
||||
}
|
||||
|
||||
$query =~ s/user=/user=dalek/;
|
||||
$query =~ s/password=/password=dwho/;
|
||||
$query =~ s/test=\w*\b/test=1_demo/;
|
||||
|
||||
ok(
|
||||
$res = $client->_post(
|
||||
'/', IO::String->new($query),
|
||||
length => length($query),
|
||||
accept => 'text/html',
|
||||
),
|
||||
'Auth query with an unknown user'
|
||||
);
|
||||
( $host, $url, $query ) =
|
||||
expectForm( $res, '#', undef, 'user', 'password', 'token' );
|
||||
|
||||
ok( $res->[2]->[0] =~ /<span trmsg="5"><\/span><\/div>/,
|
||||
'dalek rejected with PE_BADCREDENTIALS' )
|
||||
or print STDERR Dumper( $res->[2]->[0] );
|
||||
|
||||
# Try to authenticate
|
||||
# -------------------
|
||||
@form = ( $res->[2]->[0] =~ m#<form.*?</form>#sg );
|
||||
pop @form;
|
||||
shift @form;
|
||||
ok( @form == 2, 'Display 2 choices' );
|
||||
foreach (@form) {
|
||||
expectForm( [ $res->[0], $res->[1], [$_] ], undef, undef, 'test' );
|
||||
}
|
||||
|
||||
$query =~ s/user=/user=dwho/;
|
||||
$query =~ s/password=/password=dwho/;
|
||||
$query =~ s/test=\w*\b/test=1_demo/;
|
||||
|
||||
ok(
|
||||
$res = $client->_post(
|
||||
'/', IO::String->new($query),
|
||||
length => length($query),
|
||||
accept => 'text/html',
|
||||
),
|
||||
'Auth query'
|
||||
);
|
||||
my $id = expectCookie($res);
|
||||
$client->logout($id);
|
||||
|
||||
count($maintests);
|
||||
clean_sessions();
|
||||
done_testing( count() );
|
|
@ -10,7 +10,7 @@ my $maintests = 16;
|
|||
SKIP: {
|
||||
eval 'use GD::SecurityImage;use Image::Magick;';
|
||||
if ($@) {
|
||||
skip 'Lasso not found', $maintests;
|
||||
skip 'Image::Magick not found', $maintests;
|
||||
}
|
||||
|
||||
my $client = LLNG::Manager::Test->new( {
|
||||
|
|
|
@ -123,6 +123,7 @@ ok( $attributes[13] =~ /^\d{14}$/, 'Timestamp found' )
|
|||
or print STDERR Dumper( \@attributes );
|
||||
count(4);
|
||||
|
||||
diag 'Waiting';
|
||||
sleep 3;
|
||||
|
||||
# Refresh rights
|
||||
|
|
|
@ -32,6 +32,7 @@ expectOK($res);
|
|||
my $id1 = expectCookie($res);
|
||||
count(1);
|
||||
|
||||
diag 'Waiting';
|
||||
sleep 3;
|
||||
|
||||
ok(
|
||||
|
|
|
@ -66,6 +66,7 @@ ok( $res->[2]->[0] =~ m%<span trspan="checkUser">%, 'Found trspan="checkUser"' )
|
|||
count(1);
|
||||
|
||||
# Expired token
|
||||
diag 'Waiting';
|
||||
sleep 3;
|
||||
$query =~ s/user=/user=rtyler/;
|
||||
$query =~ s/url=/url=http%3A%2F%2Ftest1.example.com/;
|
||||
|
|
|
@ -66,6 +66,7 @@ ok( $res->[2]->[0] =~ m%<span trspan="checkUser">%, 'Found trspan="checkUser"' )
|
|||
count(1);
|
||||
|
||||
# Expired token
|
||||
diag 'Waiting';
|
||||
sleep 3;
|
||||
$query =~ s/user=/user=rtyler/;
|
||||
$query =~ s/url=/url=http%3A%2F%2Ftest1.example.com/;
|
||||
|
|
|
@ -0,0 +1,115 @@
|
|||
use Test::More;
|
||||
use strict;
|
||||
use IO::String;
|
||||
|
||||
BEGIN {
|
||||
require 't/test-lib.pm';
|
||||
}
|
||||
|
||||
my $res;
|
||||
|
||||
my $client = LLNG::Manager::Test->new( {
|
||||
ini => {
|
||||
logLevel => 'error',
|
||||
authentication => 'Demo',
|
||||
userDB => 'Same',
|
||||
loginHistoryEnabled => 1,
|
||||
brutForceProtection => 0,
|
||||
portalMainLogo => 'common/logos/logo_llng_old.png',
|
||||
requireToken => 0,
|
||||
impersonationRule => 1,
|
||||
checkUserDisplayPersistentInfo => 0,
|
||||
checkUserDisplayEmptyValues => 0,
|
||||
}
|
||||
}
|
||||
);
|
||||
|
||||
## Try to authenticate with bad password
|
||||
ok(
|
||||
$res = $client->_post(
|
||||
'/',
|
||||
IO::String->new('user=rtyler&password=relytr'),
|
||||
length => 27
|
||||
),
|
||||
'Auth query'
|
||||
);
|
||||
count(1);
|
||||
expectReject($res);
|
||||
|
||||
diag 'Waiting';
|
||||
sleep 1;
|
||||
|
||||
## Try to authenticate
|
||||
ok( $res = $client->_get( '/', accept => 'text/html' ), 'Get Menu', );
|
||||
count(1);
|
||||
my ( $host, $url, $query ) =
|
||||
expectForm( $res, '#', undef, 'user', 'password', 'spoofId' );
|
||||
|
||||
$query =~ s/user=/user=rtyler/;
|
||||
$query =~ s/password=/password=rtyler/;
|
||||
|
||||
ok(
|
||||
$res = $client->_post(
|
||||
'/',
|
||||
IO::String->new($query),
|
||||
length => length($query),
|
||||
accept => 'text/html',
|
||||
),
|
||||
'Auth query'
|
||||
);
|
||||
count(1);
|
||||
my $id = expectCookie($res);
|
||||
|
||||
expectRedirection( $res, 'http://auth.example.com/' );
|
||||
ok(
|
||||
$res = $client->_get(
|
||||
'/',
|
||||
cookie => "lemonldap=$id",
|
||||
accept => 'text/html'
|
||||
),
|
||||
'Get Menu',
|
||||
);
|
||||
count(1);
|
||||
expectOK($res);
|
||||
expectAuthenticatedAs( $res, 'rtyler' );
|
||||
$client->logout($id);
|
||||
|
||||
diag 'Waiting';
|
||||
sleep 1;
|
||||
|
||||
## Try to Impersonate
|
||||
ok( $res = $client->_get( '/', accept => 'text/html' ), 'Get Menu', );
|
||||
count(1);
|
||||
( $host, $url, $query ) =
|
||||
expectForm( $res, '#', undef, 'user', 'password', 'spoofId' );
|
||||
|
||||
$query =~ s/user=/user=rtyler/;
|
||||
$query =~ s/password=/password=rtyler/;
|
||||
$query =~ s/spoofId=/spoofId=dwho/;
|
||||
$query .= '&checkLogins=1';
|
||||
|
||||
ok(
|
||||
$res = $client->_post(
|
||||
'/',
|
||||
IO::String->new($query),
|
||||
length => length($query),
|
||||
accept => 'text/html',
|
||||
),
|
||||
'Auth query'
|
||||
);
|
||||
$id = expectCookie($res);
|
||||
ok( $res->[2]->[0] =~ /trspan="lastLogins"/, 'History found' );
|
||||
count(2);
|
||||
|
||||
# History with 5 entries and 10 custom values
|
||||
my @c = ( $res->[2]->[0] =~ /<td>127.0.0.1/gs );
|
||||
my @cf = ( $res->[2]->[0] =~ /PE5<\/td>/gs );
|
||||
ok( @c == 3, ' -> Three entries found' );
|
||||
ok( @cf == 1, " -> One 'failedLogin' entry found" )
|
||||
or print STDERR Dumper( $res->[2]->[0] );
|
||||
count(2);
|
||||
|
||||
$client->logout($id);
|
||||
clean_sessions();
|
||||
|
||||
done_testing( count() );
|
|
@ -0,0 +1,241 @@
|
|||
use Test::More;
|
||||
use strict;
|
||||
use IO::String;
|
||||
|
||||
BEGIN {
|
||||
require 't/test-lib.pm';
|
||||
}
|
||||
SKIP: {
|
||||
eval { require Convert::Base32 };
|
||||
if ($@) {
|
||||
skip 'Convert::Base32 is missing';
|
||||
}
|
||||
require Lemonldap::NG::Common::TOTP;
|
||||
my $res;
|
||||
my $client = LLNG::Manager::Test->new( {
|
||||
ini => {
|
||||
logLevel => 'error',
|
||||
authentication => 'Demo',
|
||||
userDB => 'Same',
|
||||
loginHistoryEnabled => 0,
|
||||
brutForceProtection => 0,
|
||||
portalMainLogo => 'common/logos/logo_llng_old.png',
|
||||
requireToken => 0,
|
||||
checkUser => 1,
|
||||
impersonationRule => 1,
|
||||
checkUserDisplayPersistentInfo => 0,
|
||||
checkUserDisplayEmptyValues => 0,
|
||||
impersonationMergeSSOgroups => 1,
|
||||
totp2fSelfRegistration => 1,
|
||||
totp2fActivation => 1,
|
||||
}
|
||||
}
|
||||
);
|
||||
|
||||
## Try to authenticate
|
||||
ok( $res = $client->_get( '/', accept => 'text/html' ), 'Get Menu', );
|
||||
my ( $host, $url, $query ) =
|
||||
expectForm( $res, '#', undef, 'user', 'password', 'spoofId' );
|
||||
|
||||
$query =~ s/user=/user=rtyler/;
|
||||
$query =~ s/password=/password=rtyler/;
|
||||
#$query =~ s/spoofId=/spoofId=/;
|
||||
ok(
|
||||
$res = $client->_post(
|
||||
'/',
|
||||
IO::String->new($query),
|
||||
length => length($query),
|
||||
accept => 'text/html',
|
||||
),
|
||||
'Auth query'
|
||||
);
|
||||
count(2);
|
||||
|
||||
my $id = expectCookie($res);
|
||||
expectRedirection( $res, 'http://auth.example.com/' );
|
||||
|
||||
# Get Menu
|
||||
# ------------------------
|
||||
ok(
|
||||
$res = $client->_get(
|
||||
'/',
|
||||
cookie => "lemonldap=$id",
|
||||
accept => 'text/html'
|
||||
),
|
||||
'Get Menu',
|
||||
);
|
||||
expectOK($res);
|
||||
ok(
|
||||
$res->[2]->[0] =~
|
||||
m%<span trspan="connectedAs">Connected as</span> rtyler%,
|
||||
'Connected as dwho'
|
||||
) or print STDERR Dumper( $res->[2]->[0] );
|
||||
expectAuthenticatedAs( $res, 'rtyler' );
|
||||
count(2);
|
||||
|
||||
# TOTP form
|
||||
ok(
|
||||
$res = $client->_get(
|
||||
'/2fregisters',
|
||||
cookie => "lemonldap=$id",
|
||||
accept => 'text/html',
|
||||
),
|
||||
'Form registration'
|
||||
);
|
||||
expectRedirection( $res, qr#/2fregisters/totp$# );
|
||||
ok(
|
||||
$res = $client->_get(
|
||||
'/2fregisters/totp',
|
||||
cookie => "lemonldap=$id",
|
||||
accept => 'text/html',
|
||||
),
|
||||
'Form registration'
|
||||
);
|
||||
ok( $res->[2]->[0] =~ /totpregistration\.(?:min\.)?js/, 'Found TOTP js' );
|
||||
ok(
|
||||
$res->[2]->[0] =~ qr%<img src="/static/common/logos/logo_llng_old.png"%,
|
||||
'Found custom Main Logo'
|
||||
) or print STDERR Dumper( $res->[2]->[0] );
|
||||
count(4);
|
||||
|
||||
# JS query
|
||||
ok(
|
||||
$res = $client->_post(
|
||||
'/2fregisters/totp/getkey', IO::String->new(''),
|
||||
cookie => "lemonldap=$id",
|
||||
length => 0,
|
||||
),
|
||||
'Get new key'
|
||||
);
|
||||
eval { $res = JSON::from_json( $res->[2]->[0] ) };
|
||||
ok( not($@), 'Content is JSON' )
|
||||
or explain( $res->[2]->[0], 'JSON content' );
|
||||
my ( $key, $token );
|
||||
ok( $key = $res->{secret}, 'Found secret' );
|
||||
ok( $token = $res->{token}, 'Found token' );
|
||||
$key = Convert::Base32::decode_base32($key);
|
||||
count(4);
|
||||
|
||||
# Post code
|
||||
my $code;
|
||||
ok( $code = Lemonldap::NG::Common::TOTP::_code( undef, $key, 0, 30, 6 ),
|
||||
'Code' );
|
||||
ok( $code =~ /^\d{6}$/, 'Code contains 6 digits' );
|
||||
my $s = "code=$code&token=$token";
|
||||
ok(
|
||||
$res = $client->_post(
|
||||
'/2fregisters/totp/verify',
|
||||
IO::String->new($s),
|
||||
length => length($s),
|
||||
cookie => "lemonldap=$id",
|
||||
),
|
||||
'Post code'
|
||||
);
|
||||
eval { $res = JSON::from_json( $res->[2]->[0] ) };
|
||||
ok( not($@), 'Content is JSON' )
|
||||
or explain( $res->[2]->[0], 'JSON content' );
|
||||
ok( $res->{result} == 1, 'Key is registered' );
|
||||
count(5);
|
||||
|
||||
# Try to sign-in
|
||||
$client->logout($id);
|
||||
ok( $res = $client->_get( '/', accept => 'text/html' ), 'Get Menu', );
|
||||
( $host, $url, $query ) =
|
||||
expectForm( $res, '#', undef, 'user', 'password', 'spoofId' );
|
||||
ok(
|
||||
$res = $client->_post(
|
||||
'/',
|
||||
IO::String->new('user=rtyler&password=rtyler&spoofId=dwho'),
|
||||
length => 40,
|
||||
accept => 'text/html',
|
||||
),
|
||||
'Auth query with Impersonation'
|
||||
);
|
||||
( $host, $url, $query ) =
|
||||
expectForm( $res, undef, '/totp2fcheck', 'token' );
|
||||
ok( $code = Lemonldap::NG::Common::TOTP::_code( undef, $key, 0, 30, 6 ),
|
||||
'Code' );
|
||||
$query =~ s/code=/code=$code/;
|
||||
ok(
|
||||
$res = $client->_post(
|
||||
'/totp2fcheck', IO::String->new($query),
|
||||
length => length($query),
|
||||
),
|
||||
'Post code'
|
||||
);
|
||||
count(4);
|
||||
$id = expectCookie($res);
|
||||
|
||||
# CheckUser form
|
||||
# ------------------------
|
||||
ok(
|
||||
$res = $client->_get(
|
||||
'/checkuser',
|
||||
cookie => "lemonldap=$id",
|
||||
accept => 'text/html'
|
||||
),
|
||||
'CheckUser form',
|
||||
);
|
||||
( $host, $url, $query ) =
|
||||
expectForm( $res, undef, '/checkuser', 'user', 'url' );
|
||||
ok( $res->[2]->[0] =~ m%<span trspan="checkUserMerged">%,
|
||||
'Found trspan="checkUserMerged"' )
|
||||
or explain( $res->[2]->[0], 'trspan="checkUserMerged"' );
|
||||
count(2);
|
||||
|
||||
$query =~ s/url=/url=test1.example.com/;
|
||||
|
||||
ok(
|
||||
$res = $client->_post(
|
||||
'/checkuser',
|
||||
IO::String->new($query),
|
||||
cookie => "lemonldap=$id",
|
||||
length => length($query),
|
||||
accept => 'text/html',
|
||||
),
|
||||
'POST checkuser'
|
||||
);
|
||||
count(1);
|
||||
|
||||
( $host, $url, $query ) =
|
||||
expectForm( $res, undef, '/checkuser', 'user', 'url' );
|
||||
ok( $res->[2]->[0] =~ m%<span trspan="checkUserMerged">%,
|
||||
'Found trspan="checkUserMerged"' )
|
||||
or explain( $res->[2]->[0], 'trspan="checkUserMerged"' );
|
||||
ok(
|
||||
$res->[2]->[0] =~
|
||||
m%<div class="alert alert-success"><b><span trspan="allowed"></span></b></div>%,
|
||||
'Found trspan="allowed"'
|
||||
) or explain( $res->[2]->[0], 'trspan="allowed"' );
|
||||
ok( $res->[2]->[0] =~ m%<span trspan="headers">%, 'Found trspan="headers"' )
|
||||
or explain( $res->[2]->[0], 'trspan="headers"' );
|
||||
ok( $res->[2]->[0] =~ m%<span trspan="groups_sso">%,
|
||||
'Found trspan="groups_sso"' )
|
||||
or explain( $res->[2]->[0], 'trspan="groups_sso"' );
|
||||
ok( $res->[2]->[0] =~ m%<span trspan="macros">%, 'Found trspan="macros"' )
|
||||
or explain( $res->[2]->[0], 'trspan="macros"' );
|
||||
ok( $res->[2]->[0] =~ m%<span trspan="attributes">%,
|
||||
'Found trspan="attributes"' )
|
||||
or explain( $res->[2]->[0], 'trspan="attributes"' );
|
||||
ok( $res->[2]->[0] =~ m%<td class="text-left">_userDB</td>%,
|
||||
'Found _userDB' )
|
||||
or explain( $res->[2]->[0], '_userDB' );
|
||||
ok( $res->[2]->[0] =~ m%<td class="align-middle">Auth-User</td>%,
|
||||
'Found Auth-User' )
|
||||
or explain( $res->[2]->[0], 'Header Key: Auth-User' );
|
||||
ok( $res->[2]->[0] =~ m%<td class="align-middle">dwho</td>%, 'Found dwho' )
|
||||
or explain( $res->[2]->[0], 'Header Value: dwho' );
|
||||
ok( $res->[2]->[0] =~ m%<td class="align-middle">su</td>%, 'Found su' )
|
||||
or explain( $res->[2]->[0], 'SSO Groups: su' );
|
||||
ok( $res->[2]->[0] =~ m%<td class="align-middle">_whatToTrace</td>%,
|
||||
'Found _whatToTrace' )
|
||||
or explain( $res->[2]->[0], 'Macro Key _whatToTrace' );
|
||||
ok( $res->[2]->[0] =~ m%<td class="text-left">uid</td>%, 'Found uid' )
|
||||
or explain( $res->[2]->[0], 'Attribute Value uid' );
|
||||
count(12);
|
||||
|
||||
$client->logout($id);
|
||||
}
|
||||
clean_sessions();
|
||||
|
||||
done_testing( count() );
|
|
@ -66,6 +66,7 @@ ok(
|
|||
m%<span trspan="connectedAs">Connected as</span> dwho%,
|
||||
'Connected as dwho'
|
||||
) or print STDERR Dumper( $res->[2]->[0] );
|
||||
expectAuthenticatedAs( $res, 'dwho' );
|
||||
count(1);
|
||||
|
||||
# CheckUser form
|
||||
|
|
|
@ -158,6 +158,7 @@ ok(
|
|||
m%<span trspan="connectedAs">Connected as</span> msmith%,
|
||||
'Connected as msmith'
|
||||
) or print STDERR Dumper( $res->[2]->[0] );
|
||||
expectAuthenticatedAs( $res, 'msmith' );
|
||||
count(1);
|
||||
|
||||
# CheckUser form
|
||||
|
@ -239,6 +240,7 @@ ok(
|
|||
m%<span trspan="connectedAs">Connected as</span> dwho%,
|
||||
'Connected as dwho'
|
||||
) or print STDERR Dumper( $res->[2]->[0] );
|
||||
expectAuthenticatedAs( $res, 'dwho' );
|
||||
count(1);
|
||||
|
||||
# CheckUser form
|
||||
|
|
|
@ -172,6 +172,7 @@ SKIP: {
|
|||
) or print STDERR Dumper( $res->[2]->[0] );
|
||||
|
||||
# Wait to have two different epoch values
|
||||
diag 'Waiting';
|
||||
sleep 1;
|
||||
|
||||
# Ajax registration request
|
||||
|
|
|
@ -76,6 +76,7 @@ count(1);
|
|||
ok( $res->[2]->[0] =~ /<span trmsg="86"><\/span>/, 'Protection enabled' );
|
||||
count(1);
|
||||
|
||||
diag 'Waiting';
|
||||
sleep 2;
|
||||
|
||||
# Try to authenticate
|
||||
|
@ -116,6 +117,7 @@ count(1);
|
|||
ok( $res->[2]->[0] =~ /<span trmsg="86"><\/span>/, 'Protection enabled' );
|
||||
count(1);
|
||||
|
||||
diag 'Waiting';
|
||||
sleep 4;
|
||||
|
||||
# Try to authenticate again
|
||||
|
|
Loading…
Reference in New Issue