Merge branch 'v2.0'

lemonldap-ng-common/scripts/lemonldap-ng-cli

@@ -3,12 +3,21 @@
 use warnings;
 use strict;
 use POSIX;
+use Getopt::Long;
+
+our $opt_user = '__APACHEUSER__';
+our $opt_group = '__APACHEGROUP';
+GetOptions (
+        "user=s" => \$opt_user,
+        "group=s"   => \$opt_group
+)
+or die("Error in command line arguments\n");
 
 my $action;
 
 eval {
-    POSIX::setgid( scalar( getgrnam('__APACHEGROUP__') ) );
-    POSIX::setuid( scalar( getpwnam('__APACHEUSER__') ) );
+    POSIX::setgid( scalar( getgrnam($opt_group) ) );
+    POSIX::setuid( scalar( getpwnam($opt_user) ) );
 };
 
 for ( my $i = 0 ; $i < @ARGV ; $i++ ) {

lemonldap-ng-common/scripts/lemonldap-ng-sessions

@@ -167,8 +167,11 @@ Examples
 	lemonldap-ng-sessions search --where uid=dwho \
 		--id-only
 
+	lemonldap-ng-sessions search --backend persistent \
+		--where _session_uid=dwho
+
 	lemonldap-ng-sessions search --where uid=dwho \
-		 --select authenticationLevel
+		--select authenticationLevel
 
 =head2 Delete
 
@@ -191,6 +194,8 @@ Examples:
 
 	lemonldap-ng-sessions delete --where uid=dwho
 
+	lemonldap-ng-sessions delete --persistent --where _session_uid=dwho
+
 =head2 Set Key
 
     lemonldap-ng-sessions setKey <id> <key> <value> [<key> <value> ...]

lemonldap-ng-manager/scripts/lmConfigEditor

@@ -10,13 +10,23 @@ use English qw(-no_match_vars);
 use File::Temp;
 use POSIX qw(setuid setgid);
 use Safe;
+use Getopt::Long;
 use strict;
 
 my $cli = Lemonldap::NG::Manager::Cli::Lib->new;
 
+our $opt_user = '__APACHEUSER__';
+our $opt_group = '__APACHEGROUP__';
+
+GetOptions (
+        "user=s" => \$opt_user,
+        "group=s"   => \$opt_group
+)
+or die("Error in command line arguments\n");
+
 eval {
-    setgid( ( getgrnam('__APACHEGROUP__') )[2] );
-    setuid( ( getpwnam('__APACHEUSER__') )[2] );
+    setgid( ( getgrnam($opt_group) )[2] );
+    setuid( ( getpwnam($opt_user) )[2] );
     print STDERR "Running as uid $EUID and gid $EGID\n";
 };
 

lemonldap-ng-manager/site/htdocs/static/languages/ar.json

@@ -1211,4 +1211,4 @@
 "yubikey2fUrl":"خدمة أل يو أر ل",
 "yubikey2fUserCanRemoveKey":"Allow user to remove Yubikey",
 "zeroConfExplanations":"لا يحتوي الخادم على إعدادات. استخدام قالب لحفظ الأول"
-}
+}

lemonldap-ng-manager/site/htdocs/static/languages/de.json

@@ -1211,4 +1211,4 @@
 "yubikey2fUrl":"Service URL",
 "yubikey2fUserCanRemoveKey":"Allow user to remove Yubikey",
 "zeroConfExplanations":"Server has no configuration. Use template to save the first."
-}
+}

lemonldap-ng-manager/site/htdocs/static/languages/es.json

@@ -1211,4 +1211,4 @@
 "yubikey2fUrl":"Service URL",
 "yubikey2fUserCanRemoveKey":"Allow user to remove Yubikey",
 "zeroConfExplanations":"Server has no configuration. Use template to save the first."
-}
+}

lemonldap-ng-manager/site/htdocs/static/languages/it.json

@@ -1211,4 +1211,4 @@
 "yubikey2fUrl":"URL del servizio",
 "yubikey2fUserCanRemoveKey":"Autorizza l'utente a rimuovere la Yubikey",
 "zeroConfExplanations":"Il server non ha alcuna configurazione. Utilizza il modello per salvare il primo."
-}
+}

lemonldap-ng-manager/site/htdocs/static/languages/pl.json

@@ -1211,4 +1211,4 @@
 "yubikey2fUrl":"URL usługi",
 "yubikey2fUserCanRemoveKey":"Pozwól użytkownikowi usunąć Yubikey",
 "zeroConfExplanations":"Serwer nie ma konfiguracji. Użyj szablonu, aby zapisać pierwszy."
-}
+}

lemonldap-ng-manager/site/htdocs/static/languages/tr.json

@@ -1054,7 +1054,7 @@
 "sfExtra":"Ek ikinci faktörler",
 "sfManagerRule":"Yönetici bağlantısını görüntüle",
 "sfOnlyUpgrade":"Oturum yükseltme için 2FA kullan",
-"sfRegisterTimeout":"Registration timeout",
+"sfRegisterTimeout":"Kayıtlanma zaman aşımı",
 "sfRemovedMsg":"Süresi dolan bir 2FA kaldırıldığında bir mesaj göster",
 "sfRemovedMsgRule":"Aktivasyon",
 "sfRemovedNotifMsg":"Bildirim mesajı",
@@ -1211,4 +1211,4 @@
 "yubikey2fUrl":"Servis URL'si",
 "yubikey2fUserCanRemoveKey":"Yubikey'i kaldırmak için kullanıcıya izin ver",
 "zeroConfExplanations":"Sunucunun yapılandırması yok. Şimdi bir tane kaydetmek için şablonu kullanın."
-}
+}

lemonldap-ng-manager/site/htdocs/static/languages/vi.json

@@ -1211,4 +1211,4 @@
 "yubikey2fUrl":"Dịch vụ URL",
 "yubikey2fUserCanRemoveKey":"Allow user to remove Yubikey",
 "zeroConfExplanations":"Máy chủ không có cấu hình. Sử dụng mẫu để lưu đầu tiên. "
-}
+}

lemonldap-ng-manager/site/htdocs/static/languages/zh.json

@@ -1211,4 +1211,4 @@
 "yubikey2fUrl":"Service URL",
 "yubikey2fUserCanRemoveKey":"Allow user to remove Yubikey",
 "zeroConfExplanations":"Server has no configuration. Use template to save the first."
-}
+}

lemonldap-ng-manager/site/htdocs/static/languages/zh_TW.json

@@ -1211,4 +1211,4 @@
 "yubikey2fUrl":"服務 URL",
 "yubikey2fUserCanRemoveKey":"允許使用者移除 Yubikey",
 "zeroConfExplanations":"伺服器未設定。使用飯本來儲存第一個。"
-}
+}

lemonldap-ng-portal/MANIFEST

@@ -481,6 +481,7 @@ site/templates/common/registerBrowser.tpl
 site/templates/common/script.tpl
 t/01-AuthDemo.t
 t/01-CSP-and-CORS-headers.t
+t/01-EnablePasswordDisplay.t
 t/01-Handler-redirection-and-URL-check-by-portal.t
 t/01-pdata.t
 t/01-Reject-Hashes-in-URL.t
@@ -604,6 +605,9 @@ t/36-Combination.t
 t/37-CAS-App-to-SAML-IdP-POST-with-WAYF.t
 t/37-CAS-App-to-SAML-IdP-POST.t
 t/37-Issuer-Timeout.t
+t/37-Logout-from-2-chained-SAML-SP-SOAP.t
+t/37-Logout-from-OIDC-RP-to-SAML-IDP-Redirect.t
+t/37-Logout-from-OIDC-RP-to-SAML-IDP-SOAP.t
 t/37-Logout-from-OIDC-RP-to-SAML-SP.t
 t/37-OIDC-RP-to-SAML-IdP-GET-with-WAYF.t
 t/37-OIDC-RP-to-SAML-IdP-GET.t
@@ -651,6 +655,7 @@ t/57-GlobalLogout-with-Double-cookies.t
 t/57-GlobalLogout-without-Timer.t
 t/57-GlobalLogout.t
 t/57-LogoutForward.t
+t/57-LogoutForward2153.t
 t/58-DecryptValue-with-custom-function.t
 t/58-DecryptValue-with-internal-function.t
 t/59-Double-cookies-for-a-Single-session.t
@@ -738,6 +743,7 @@ t/73-2F-UTOTP-TOTP-and-U2F-with-History.t
 t/73-2F-UTOTP-TOTP-and-U2F.t
 t/73-2F-UTOTP-TOTP-only-with-History.t
 t/73-2F-UTOTP-TOTP-only.t
+t/74-2F-Required-Issuer-Timeouts.t
 t/74-2F-Required.t
 t/75-2F-Registers.t
 t/76-2F-Ext-with-BruteForce.t

lemonldap-ng-portal/site/htdocs/static/languages/tr.json

@@ -292,12 +292,12 @@
 "submit":"Gönder",
 "switchContext":"Bağlam değiştir",
 "totp2f":"OTP Uygulaması",
-"totpExistingKey":"A TOTP device is already registered, you must remove it before adding a new TOTP device",
-"totpMissingCode":"Please enter the code supplied by your TOTP application",
-"totpQrCode":"Scan this QR code in your TOTP application",
-"totpRegisterCode":"Input the code provided by your application",
-"totpRegisterName":"Choose a name for this TOTP device",
-"totpSecretKey":"If your TOTP application does not support QR codes, enter the following key instead:",
+"totpExistingKey":"Bir TOTP cihazı zaten kaydedildi, yeni bir TOTP cihazı eklemeden önce diğerini kaldırmalısınız",
+"totpMissingCode":"Lütfen TOTP uygulamanız tarafından sağlanan kodu girin",
+"totpQrCode":"TOTP uygulamanızda bu QR kodu tarayın",
+"totpRegisterCode":"Uygulamanız tarafından desteklenen kodu girin",
+"totpRegisterName":"TOTP cihazınız için bir isim seçin",
+"totpSecretKey":"TOTP uygulamanız QR kodlarını desteklemiyorsa, bunun yerine aşağıdaki anahtarı girin:",
 "touchU2fDevice":"Lütfen şimdi yanıp sönen U2F cihazına dokunun.",
 "touchU2fDeviceOrEnterTotp":"Lütfen şimdi yanıp sönen U2F cihazına dokunun veya TOTP kodunu girin.",
 "type":"Tür",

lemonldap-ng-portal/t/03-XSS-protection.t

@@ -97,6 +97,11 @@ my @tests = (
     'aHR0cDovL3d3dz88c2NyaXB0Pg==',
     'http://test1.example.com/' => 0,
     'script with logout',
+
+    # 21 url=http://www.toto.com/, no referer
+    'aHR0cDovL3d3dy50b3RvLmNvbS8=',
+    '' => 1,
+    'Logout required by good site, empty referer',
 );
 
 my $res;

lemonldap-ng-portal/t/57-LogoutForward2153.t

@@ -0,0 +1,136 @@
+use Test::More;
+use strict;
+use IO::String;
+use Data::Dumper;
+
+BEGIN {
+    require 't/test-lib.pm';
+}
+
+my $res;
+
+my $client = LLNG::Manager::Test->new( {
+        ini => {
+            logLevel             => 'error',
+            authentication       => 'Demo',
+            userDB               => 'Same',
+            loginHistoryEnabled  => 0,
+            bruteForceProtection => 0,
+            requireToken         => 0,
+            restSessionServer    => 1,
+            logoutServices       => { 'mytest' => 'http://test1.example.com/logout.html' }, # page that does not exist
+            locationRules => {
+                               'test1.example.com' => {
+                                                       '(?#logout)^/logout.html' => 'unprotect',
+                                                       'default' => 'accept'
+                                                     },
+                             },
+            logger         => 'Lemonldap::NG::Common::Logger::Std',
+        }
+    }
+);
+
+
+# Handler part
+use_ok('Lemonldap::NG::Handler::Server');
+use_ok('Lemonldap::NG::Common::PSGI::Cli::Lib');
+count(2);
+
+my ( $cli, $app );
+ok( $app = Lemonldap::NG::Handler::Server->run( $client->ini ), 'App' );
+count(1);
+
+
+## First successful connection for 'dwho'
+ok(
+    $res = $client->_post(
+        '/',
+        IO::String->new('user=dwho&password=dwho'),
+        length => 23,
+        accept => 'text/html',
+    ),
+    '1st "dwho" Auth query'
+);
+count(1);
+my $cookie = expectCookie($res, 'lemonldap');
+
+expectRedirection( $res, 'http://auth.example.com/' );
+
+## Logout request for 'dwho'
+ok(
+    $res = $client->_get(
+        '/',
+        query  => 'logout',
+        cookie => "lemonldap=$cookie",
+        accept => 'text/html'
+    ),
+    'Logout request for "dwho"'
+);
+count(1);
+
+
+ok(
+    $res->[2]->[0] =~
+      m%<h3 trspan="logoutFromOtherApp">logoutFromOtherApp</h3>%,
+    'Found Logout Forward page'
+) or explain( $res->[2]->[0], "PE_LOGOUT_OK" );
+count(1);
+
+$cookie = expectCookie($res, 'lemonldap');
+ok( $cookie eq "0", 'Test empty cookie sent at logout' );
+count(1);
+
+# Verify that there is no pdata
+my $cookies = getCookies($res);
+my $id;
+ok(
+    ! defined( $id = $cookies->{'lemonldappdata'} ),
+        " Verify absence of cookie lemonldappdata"
+) or explain( 'Get lemonldappdata cookie' );
+count(1);
+
+my ($logouturl) = grep(/iframe/, split("\n", $res->[2]->[0]));
+$logouturl =~ s/.*<iframe src="([^"]+)".*/\1/;
+my $ep = $logouturl;
+$ep =~ s/https?:\/\/[^\/]+//;
+
+## Forward logout
+## TODO: handler behaviour is incomplete here, because it does not check:
+##       - locationRules
+##       - presence of resource in the server (404,...)
+ok(
+    $res = $app->( {
+            'HTTP_ACCEPT'          => 'text/html',
+            'SCRIPT_NAME'          => '/',
+            'SERVER_NAME'          => '127.0.0.1',
+            'HTTP_CACHE_CONTROL'   => 'max-age=0',
+            'HTTP_ACCEPT_LANGUAGE' => 'fr,fr-FR;q=0.8,en-US;q=0.5,en;q=0.3',
+            'PATH_INFO'            => '/',
+            'REQUEST_METHOD'       => 'GET',
+            'REQUEST_URI'          => "/$ep",
+            'X_ORIGINAL_URI'       => "/",
+            'SERVER_PORT'          => '80',
+            'SERVER_PROTOCOL'      => 'HTTP/1.1',
+            'HTTP_USER_AGENT' =>
+              'Mozilla/5.0 (VAX-4000; rv:36.0) Gecko/20350101 Firefox',
+            'REMOTE_ADDR' => '127.0.0.1',
+            'HTTP_HOST'   => 'test1.example.com',
+            'COOKIE'   => "lemonldap=$cookie",
+        }
+    ),
+    'Forward logout'
+);
+count(1);
+
+# Verify that there is no pdata
+$cookies = getCookies($res);
+$id;
+ok(
+    ! defined( $id = $cookies->{'lemonldappdata'} ),
+        " Verify absence of cookie lemonldappdata"
+) or explain( 'Get lemonldappdata cookie' );
+count(1);
+
+clean_sessions();
+
+done_testing( count() );