diff --git a/lemonldap-ng-common/scripts/lemonldap-ng-cli b/lemonldap-ng-common/scripts/lemonldap-ng-cli index 7926983ec..538bed739 100755 --- a/lemonldap-ng-common/scripts/lemonldap-ng-cli +++ b/lemonldap-ng-common/scripts/lemonldap-ng-cli @@ -3,12 +3,21 @@ use warnings; use strict; use POSIX; +use Getopt::Long; + +our $opt_user = '__APACHEUSER__'; +our $opt_group = '__APACHEGROUP'; +GetOptions ( + "user=s" => \$opt_user, + "group=s" => \$opt_group +) +or die("Error in command line arguments\n"); my $action; eval { - POSIX::setgid( scalar( getgrnam('__APACHEGROUP__') ) ); - POSIX::setuid( scalar( getpwnam('__APACHEUSER__') ) ); + POSIX::setgid( scalar( getgrnam($opt_group) ) ); + POSIX::setuid( scalar( getpwnam($opt_user) ) ); }; for ( my $i = 0 ; $i < @ARGV ; $i++ ) { diff --git a/lemonldap-ng-common/scripts/lemonldap-ng-sessions b/lemonldap-ng-common/scripts/lemonldap-ng-sessions index 3be01a9b8..c13e14d68 100755 --- a/lemonldap-ng-common/scripts/lemonldap-ng-sessions +++ b/lemonldap-ng-common/scripts/lemonldap-ng-sessions @@ -167,8 +167,11 @@ Examples lemonldap-ng-sessions search --where uid=dwho \ --id-only + lemonldap-ng-sessions search --backend persistent \ + --where _session_uid=dwho + lemonldap-ng-sessions search --where uid=dwho \ - --select authenticationLevel + --select authenticationLevel =head2 Delete @@ -191,6 +194,8 @@ Examples: lemonldap-ng-sessions delete --where uid=dwho + lemonldap-ng-sessions delete --persistent --where _session_uid=dwho + =head2 Set Key lemonldap-ng-sessions setKey [ ...] diff --git a/lemonldap-ng-manager/scripts/lmConfigEditor b/lemonldap-ng-manager/scripts/lmConfigEditor index 1d336a112..7bc186214 100755 --- a/lemonldap-ng-manager/scripts/lmConfigEditor +++ b/lemonldap-ng-manager/scripts/lmConfigEditor @@ -10,13 +10,23 @@ use English qw(-no_match_vars); use File::Temp; use POSIX qw(setuid setgid); use Safe; +use Getopt::Long; use strict; my $cli = Lemonldap::NG::Manager::Cli::Lib->new; +our $opt_user = '__APACHEUSER__'; +our $opt_group = '__APACHEGROUP__'; + +GetOptions ( + "user=s" => \$opt_user, + "group=s" => \$opt_group +) +or die("Error in command line arguments\n"); + eval { - setgid( ( getgrnam('__APACHEGROUP__') )[2] ); - setuid( ( getpwnam('__APACHEUSER__') )[2] ); + setgid( ( getgrnam($opt_group) )[2] ); + setuid( ( getpwnam($opt_user) )[2] ); print STDERR "Running as uid $EUID and gid $EGID\n"; }; diff --git a/lemonldap-ng-manager/site/htdocs/static/languages/ar.json b/lemonldap-ng-manager/site/htdocs/static/languages/ar.json index 04771a501..bd02dd8c0 100644 --- a/lemonldap-ng-manager/site/htdocs/static/languages/ar.json +++ b/lemonldap-ng-manager/site/htdocs/static/languages/ar.json @@ -1211,4 +1211,4 @@ "yubikey2fUrl":"خدمة أل يو أر ل", "yubikey2fUserCanRemoveKey":"Allow user to remove Yubikey", "zeroConfExplanations":"لا يحتوي الخادم على إعدادات. استخدام قالب لحفظ الأول" -} +} \ No newline at end of file diff --git a/lemonldap-ng-manager/site/htdocs/static/languages/de.json b/lemonldap-ng-manager/site/htdocs/static/languages/de.json index 7dc338108..1cf8897be 100644 --- a/lemonldap-ng-manager/site/htdocs/static/languages/de.json +++ b/lemonldap-ng-manager/site/htdocs/static/languages/de.json @@ -1211,4 +1211,4 @@ "yubikey2fUrl":"Service URL", "yubikey2fUserCanRemoveKey":"Allow user to remove Yubikey", "zeroConfExplanations":"Server has no configuration. Use template to save the first." -} +} \ No newline at end of file diff --git a/lemonldap-ng-manager/site/htdocs/static/languages/es.json b/lemonldap-ng-manager/site/htdocs/static/languages/es.json index 830a14c33..32532e958 100644 --- a/lemonldap-ng-manager/site/htdocs/static/languages/es.json +++ b/lemonldap-ng-manager/site/htdocs/static/languages/es.json @@ -1211,4 +1211,4 @@ "yubikey2fUrl":"Service URL", "yubikey2fUserCanRemoveKey":"Allow user to remove Yubikey", "zeroConfExplanations":"Server has no configuration. Use template to save the first." -} +} \ No newline at end of file diff --git a/lemonldap-ng-manager/site/htdocs/static/languages/it.json b/lemonldap-ng-manager/site/htdocs/static/languages/it.json index 2719830e1..9a8ab904a 100644 --- a/lemonldap-ng-manager/site/htdocs/static/languages/it.json +++ b/lemonldap-ng-manager/site/htdocs/static/languages/it.json @@ -1211,4 +1211,4 @@ "yubikey2fUrl":"URL del servizio", "yubikey2fUserCanRemoveKey":"Autorizza l'utente a rimuovere la Yubikey", "zeroConfExplanations":"Il server non ha alcuna configurazione. Utilizza il modello per salvare il primo." -} +} \ No newline at end of file diff --git a/lemonldap-ng-manager/site/htdocs/static/languages/pl.json b/lemonldap-ng-manager/site/htdocs/static/languages/pl.json index aba9e4315..403a98fc6 100644 --- a/lemonldap-ng-manager/site/htdocs/static/languages/pl.json +++ b/lemonldap-ng-manager/site/htdocs/static/languages/pl.json @@ -1211,4 +1211,4 @@ "yubikey2fUrl":"URL usługi", "yubikey2fUserCanRemoveKey":"Pozwól użytkownikowi usunąć Yubikey", "zeroConfExplanations":"Serwer nie ma konfiguracji. Użyj szablonu, aby zapisać pierwszy." -} +} \ No newline at end of file diff --git a/lemonldap-ng-manager/site/htdocs/static/languages/tr.json b/lemonldap-ng-manager/site/htdocs/static/languages/tr.json index 6eda249a1..363f73617 100644 --- a/lemonldap-ng-manager/site/htdocs/static/languages/tr.json +++ b/lemonldap-ng-manager/site/htdocs/static/languages/tr.json @@ -1054,7 +1054,7 @@ "sfExtra":"Ek ikinci faktörler", "sfManagerRule":"Yönetici bağlantısını görüntüle", "sfOnlyUpgrade":"Oturum yükseltme için 2FA kullan", -"sfRegisterTimeout":"Registration timeout", +"sfRegisterTimeout":"Kayıtlanma zaman aşımı", "sfRemovedMsg":"Süresi dolan bir 2FA kaldırıldığında bir mesaj göster", "sfRemovedMsgRule":"Aktivasyon", "sfRemovedNotifMsg":"Bildirim mesajı", @@ -1211,4 +1211,4 @@ "yubikey2fUrl":"Servis URL'si", "yubikey2fUserCanRemoveKey":"Yubikey'i kaldırmak için kullanıcıya izin ver", "zeroConfExplanations":"Sunucunun yapılandırması yok. Şimdi bir tane kaydetmek için şablonu kullanın." -} +} \ No newline at end of file diff --git a/lemonldap-ng-manager/site/htdocs/static/languages/vi.json b/lemonldap-ng-manager/site/htdocs/static/languages/vi.json index dfa5308ff..4b095f6f2 100644 --- a/lemonldap-ng-manager/site/htdocs/static/languages/vi.json +++ b/lemonldap-ng-manager/site/htdocs/static/languages/vi.json @@ -1211,4 +1211,4 @@ "yubikey2fUrl":"Dịch vụ URL", "yubikey2fUserCanRemoveKey":"Allow user to remove Yubikey", "zeroConfExplanations":"Máy chủ không có cấu hình. Sử dụng mẫu để lưu đầu tiên. " -} +} \ No newline at end of file diff --git a/lemonldap-ng-manager/site/htdocs/static/languages/zh.json b/lemonldap-ng-manager/site/htdocs/static/languages/zh.json index 994942d32..b628e14b6 100644 --- a/lemonldap-ng-manager/site/htdocs/static/languages/zh.json +++ b/lemonldap-ng-manager/site/htdocs/static/languages/zh.json @@ -1211,4 +1211,4 @@ "yubikey2fUrl":"Service URL", "yubikey2fUserCanRemoveKey":"Allow user to remove Yubikey", "zeroConfExplanations":"Server has no configuration. Use template to save the first." -} +} \ No newline at end of file diff --git a/lemonldap-ng-manager/site/htdocs/static/languages/zh_TW.json b/lemonldap-ng-manager/site/htdocs/static/languages/zh_TW.json index 2a4315423..b2dc164fd 100644 --- a/lemonldap-ng-manager/site/htdocs/static/languages/zh_TW.json +++ b/lemonldap-ng-manager/site/htdocs/static/languages/zh_TW.json @@ -1211,4 +1211,4 @@ "yubikey2fUrl":"服務 URL", "yubikey2fUserCanRemoveKey":"允許使用者移除 Yubikey", "zeroConfExplanations":"伺服器未設定。使用飯本來儲存第一個。" -} +} \ No newline at end of file diff --git a/lemonldap-ng-portal/MANIFEST b/lemonldap-ng-portal/MANIFEST index 70b57047a..5877c0c1e 100644 --- a/lemonldap-ng-portal/MANIFEST +++ b/lemonldap-ng-portal/MANIFEST @@ -481,6 +481,7 @@ site/templates/common/registerBrowser.tpl site/templates/common/script.tpl t/01-AuthDemo.t t/01-CSP-and-CORS-headers.t +t/01-EnablePasswordDisplay.t t/01-Handler-redirection-and-URL-check-by-portal.t t/01-pdata.t t/01-Reject-Hashes-in-URL.t @@ -604,6 +605,9 @@ t/36-Combination.t t/37-CAS-App-to-SAML-IdP-POST-with-WAYF.t t/37-CAS-App-to-SAML-IdP-POST.t t/37-Issuer-Timeout.t +t/37-Logout-from-2-chained-SAML-SP-SOAP.t +t/37-Logout-from-OIDC-RP-to-SAML-IDP-Redirect.t +t/37-Logout-from-OIDC-RP-to-SAML-IDP-SOAP.t t/37-Logout-from-OIDC-RP-to-SAML-SP.t t/37-OIDC-RP-to-SAML-IdP-GET-with-WAYF.t t/37-OIDC-RP-to-SAML-IdP-GET.t @@ -651,6 +655,7 @@ t/57-GlobalLogout-with-Double-cookies.t t/57-GlobalLogout-without-Timer.t t/57-GlobalLogout.t t/57-LogoutForward.t +t/57-LogoutForward2153.t t/58-DecryptValue-with-custom-function.t t/58-DecryptValue-with-internal-function.t t/59-Double-cookies-for-a-Single-session.t @@ -738,6 +743,7 @@ t/73-2F-UTOTP-TOTP-and-U2F-with-History.t t/73-2F-UTOTP-TOTP-and-U2F.t t/73-2F-UTOTP-TOTP-only-with-History.t t/73-2F-UTOTP-TOTP-only.t +t/74-2F-Required-Issuer-Timeouts.t t/74-2F-Required.t t/75-2F-Registers.t t/76-2F-Ext-with-BruteForce.t diff --git a/lemonldap-ng-portal/site/htdocs/static/languages/tr.json b/lemonldap-ng-portal/site/htdocs/static/languages/tr.json index d84b926e8..a2d568454 100644 --- a/lemonldap-ng-portal/site/htdocs/static/languages/tr.json +++ b/lemonldap-ng-portal/site/htdocs/static/languages/tr.json @@ -292,12 +292,12 @@ "submit":"Gönder", "switchContext":"Bağlam değiştir", "totp2f":"OTP Uygulaması", -"totpExistingKey":"A TOTP device is already registered, you must remove it before adding a new TOTP device", -"totpMissingCode":"Please enter the code supplied by your TOTP application", -"totpQrCode":"Scan this QR code in your TOTP application", -"totpRegisterCode":"Input the code provided by your application", -"totpRegisterName":"Choose a name for this TOTP device", -"totpSecretKey":"If your TOTP application does not support QR codes, enter the following key instead:", +"totpExistingKey":"Bir TOTP cihazı zaten kaydedildi, yeni bir TOTP cihazı eklemeden önce diğerini kaldırmalısınız", +"totpMissingCode":"Lütfen TOTP uygulamanız tarafından sağlanan kodu girin", +"totpQrCode":"TOTP uygulamanızda bu QR kodu tarayın", +"totpRegisterCode":"Uygulamanız tarafından desteklenen kodu girin", +"totpRegisterName":"TOTP cihazınız için bir isim seçin", +"totpSecretKey":"TOTP uygulamanız QR kodlarını desteklemiyorsa, bunun yerine aşağıdaki anahtarı girin:", "touchU2fDevice":"Lütfen şimdi yanıp sönen U2F cihazına dokunun.", "touchU2fDeviceOrEnterTotp":"Lütfen şimdi yanıp sönen U2F cihazına dokunun veya TOTP kodunu girin.", "type":"Tür", diff --git a/lemonldap-ng-portal/t/03-XSS-protection.t b/lemonldap-ng-portal/t/03-XSS-protection.t index 032481593..e12a52b8e 100644 --- a/lemonldap-ng-portal/t/03-XSS-protection.t +++ b/lemonldap-ng-portal/t/03-XSS-protection.t @@ -97,6 +97,11 @@ my @tests = ( 'aHR0cDovL3d3dz88c2NyaXB0Pg==', 'http://test1.example.com/' => 0, 'script with logout', + + # 21 url=http://www.toto.com/, no referer + 'aHR0cDovL3d3dy50b3RvLmNvbS8=', + '' => 1, + 'Logout required by good site, empty referer', ); my $res; diff --git a/lemonldap-ng-portal/t/57-LogoutForward2153.t b/lemonldap-ng-portal/t/57-LogoutForward2153.t new file mode 100644 index 000000000..98d283bed --- /dev/null +++ b/lemonldap-ng-portal/t/57-LogoutForward2153.t @@ -0,0 +1,136 @@ +use Test::More; +use strict; +use IO::String; +use Data::Dumper; + +BEGIN { + require 't/test-lib.pm'; +} + +my $res; + +my $client = LLNG::Manager::Test->new( { + ini => { + logLevel => 'error', + authentication => 'Demo', + userDB => 'Same', + loginHistoryEnabled => 0, + bruteForceProtection => 0, + requireToken => 0, + restSessionServer => 1, + logoutServices => { 'mytest' => 'http://test1.example.com/logout.html' }, # page that does not exist + locationRules => { + 'test1.example.com' => { + '(?#logout)^/logout.html' => 'unprotect', + 'default' => 'accept' + }, + }, + logger => 'Lemonldap::NG::Common::Logger::Std', + } + } +); + + +# Handler part +use_ok('Lemonldap::NG::Handler::Server'); +use_ok('Lemonldap::NG::Common::PSGI::Cli::Lib'); +count(2); + +my ( $cli, $app ); +ok( $app = Lemonldap::NG::Handler::Server->run( $client->ini ), 'App' ); +count(1); + + +## First successful connection for 'dwho' +ok( + $res = $client->_post( + '/', + IO::String->new('user=dwho&password=dwho'), + length => 23, + accept => 'text/html', + ), + '1st "dwho" Auth query' +); +count(1); +my $cookie = expectCookie($res, 'lemonldap'); + +expectRedirection( $res, 'http://auth.example.com/' ); + +## Logout request for 'dwho' +ok( + $res = $client->_get( + '/', + query => 'logout', + cookie => "lemonldap=$cookie", + accept => 'text/html' + ), + 'Logout request for "dwho"' +); +count(1); + + +ok( + $res->[2]->[0] =~ + m%

logoutFromOtherApp

%, + 'Found Logout Forward page' +) or explain( $res->[2]->[0], "PE_LOGOUT_OK" ); +count(1); + +$cookie = expectCookie($res, 'lemonldap'); +ok( $cookie eq "0", 'Test empty cookie sent at logout' ); +count(1); + +# Verify that there is no pdata +my $cookies = getCookies($res); +my $id; +ok( + ! defined( $id = $cookies->{'lemonldappdata'} ), + " Verify absence of cookie lemonldappdata" +) or explain( 'Get lemonldappdata cookie' ); +count(1); + +my ($logouturl) = grep(/iframe/, split("\n", $res->[2]->[0])); +$logouturl =~ s/.*