Merge branch 'DevOps-redirection' into 'v2.0'
Append redirection params (#2685) See merge request lemonldap-ng/lemonldap-ng!241
This commit is contained in:
commit
f2b8cd870e
|
@ -7,7 +7,7 @@ Our concept of SSOaaS
|
|||
Access management provides 3 services:
|
||||
|
||||
- Global Authentication: Single Sign-On
|
||||
- Authorization: to grant authentication is not enough. User rights
|
||||
- Authorization: Grant authentication is not enough. User rights
|
||||
must be checked
|
||||
- Accounting: SSO logs (access) + application logs *(transactions and
|
||||
results)*
|
||||
|
@ -25,13 +25,13 @@ the ability for an app to manage authorizations and choose user
|
|||
attributes to set. Authentication can not be really ``*aaS``: app must
|
||||
just use it, not manage it.
|
||||
|
||||
LL::NG affords some features that can be used to provide SSO as a
|
||||
service: a web application can manage its rules and headers. Docker or
|
||||
LL::NG affords some features that can be used for providing SSO as a
|
||||
Service: a web application can manage its rules and headers. Docker or
|
||||
VM images (Nginx only) includes LL::NG Nginx configuration that aims to
|
||||
a global
|
||||
:ref:`LL::NG authorization server<platformsoverview-external-servers-for-nginx>`.
|
||||
By default, all authenticated users can access and one header is set:
|
||||
``Auth-User``. If application gives a RULES_URL parameter that refers to
|
||||
``Auth-User``. If application defines a RULES_URL parameter that refers to
|
||||
a JSON file, authorization server will read it, apply specified rules
|
||||
and set required headers (see :doc:`DevOps Handler<devopshandler>`).
|
||||
|
||||
|
@ -64,8 +64,9 @@ Using a global FastCGI (or uWSGI) server
|
|||
Nginx
|
||||
^^^^^
|
||||
|
||||
In this example, web server templates (Nginx only) are configured to
|
||||
request authorization from a central FastCGI server:
|
||||
Examples below are web server templates (Nginx only) configured to
|
||||
request authorization from a central FastCGI server.
|
||||
With an uWSGI central server, use 'uwsgi_param' directive (Nginx only):
|
||||
|
||||
.. code::
|
||||
|
||||
|
@ -86,7 +87,11 @@ request authorization from a central FastCGI server:
|
|||
# Keep original request (LLNG server will received /lmauth)
|
||||
fastcgi_param X_ORIGINAL_URI $original_uri;
|
||||
|
||||
# Set dynamically rules (LLNG will poll it every 10 mn)
|
||||
# Set redirection params
|
||||
fastcgi_param HTTPS_REDIRECT "$https";
|
||||
fastcgi_param PORT_REDIRECT $server_port;
|
||||
|
||||
# Set dynamically rules (LL::NG will poll it every 10 mn)
|
||||
fastcgi_param RULES_URL http://rulesserver/my.json;
|
||||
}
|
||||
location /rules.json {
|
||||
|
@ -115,22 +120,22 @@ Apache
|
|||
^^^^^^
|
||||
|
||||
There is an experimental FastCGI client in LL::NG. You just have to
|
||||
install FCGI::Client and add this in the apache2.conf or your web
|
||||
applications or proxies.
|
||||
install LemonLDAP::NG handler and FCGI::Client. Then, add this in
|
||||
your apache2.conf, web applications or reverse-proxies.
|
||||
|
||||
The following configuration example assumes that you are in a "central
|
||||
FastCGI" configuration.
|
||||
|
||||
.. code-block:: apache
|
||||
|
||||
<VirtualHost ...>
|
||||
<VirtualHost port>
|
||||
ServerName app.tls
|
||||
PerlHeaderParserHandler Lemonldap::NG::Handler::ApacheMP2::FCGIClient
|
||||
|
||||
# This must point to the central FastCGI server
|
||||
PerlSetVar LLNG_SERVER 192.0.2.1:9090
|
||||
|
||||
# Declare this vhost as a DevOps vhost, so that we do not have
|
||||
# Declare this vhost as a DevOps protected vhost. So you do not have
|
||||
# to declare it in the LemonLDAP::NG Manager
|
||||
PerlSetVar VHOSTTYPE DevOps
|
||||
|
||||
|
@ -138,6 +143,8 @@ FastCGI" configuration.
|
|||
# used to make the authentication decision about this virtualhost
|
||||
# Make sure the central FastCGI server can reach it
|
||||
PerlSetVar RULES_URL http://app.tld/rules.json
|
||||
PerlSetVar HTTPS_REDIRECT HTTPS
|
||||
PerlSetVar PORT_REDIRECT SERVER_PORT
|
||||
...
|
||||
</VirtualHost>
|
||||
|
||||
|
@ -158,6 +165,8 @@ you can protect also an Express server. Example:
|
|||
port: 9090,
|
||||
PARAMS: {
|
||||
RULES_URL: 'http://my-server/rules.json'
|
||||
HTTPS_REDIRECT: 'ON',
|
||||
PORT_REDIRECT: '443'
|
||||
}
|
||||
});
|
||||
|
||||
|
@ -204,6 +213,8 @@ Simple example:
|
|||
port => '9090',
|
||||
fcgi_auth_params => {
|
||||
RULES_URL => 'https://my-server/my.json',
|
||||
HTTPS_REDIRECT => 'ON',
|
||||
PORT_REDIRECT => 443
|
||||
},
|
||||
# Optional rejection subroutine
|
||||
#on_reject => \&on_reject;
|
||||
|
@ -229,6 +240,7 @@ directory.
|
|||
.. code-block:: nginx
|
||||
|
||||
server {
|
||||
listen <port>;
|
||||
server_name "~^(?<vhost>.+?)\.dev\.sso\.my\.domain$";
|
||||
location = /lmauth {
|
||||
internal;
|
||||
|
@ -243,6 +255,9 @@ directory.
|
|||
fastcgi_param HOST $http_host;
|
||||
# Keep original request (LL::NG server will received /lmauth)
|
||||
fastcgi_param X_ORIGINAL_URI $original_uri;
|
||||
# Set redirection params
|
||||
fastcgi_param HTTPS_REDIRECT "$https";
|
||||
fastcgi_param PORT_REDIRECT $server_port;
|
||||
}
|
||||
location /rules.json {
|
||||
auth_request off;
|
||||
|
@ -261,4 +276,3 @@ directory.
|
|||
}
|
||||
|
||||
.. |image0| image:: /documentation/devops.png
|
||||
|
||||
|
|
|
@ -43,7 +43,7 @@ sub handler {
|
|||
SERVER_PORT => $r->get_server_port,
|
||||
REQUEST_METHOD => $r->method,
|
||||
};
|
||||
foreach (qw(VHOSTTYPE RULES_URL)) {
|
||||
foreach (qw(VHOSTTYPE RULES_URL HTTPS_REDIRECT PORT_REDIRECT)) {
|
||||
if ( my $t = $r->dir_config($_) ) {
|
||||
$env->{$_} = $t;
|
||||
}
|
||||
|
|
|
@ -94,6 +94,10 @@ q"I refuse to compile 'rules.json' when useSafeJail isn't activated! Yes I know,
|
|||
$class->locationRulesInit( undef, { $vhost => $json->{rules} } );
|
||||
$class->headersInit( undef, { $vhost => $json->{headers} } );
|
||||
$class->tsv->{lastVhostUpdate}->{$vhost} = time;
|
||||
$class->tsv->{https}->{$vhost} = uc $req->env->{HTTPS_REDIRECT} eq 'ON'
|
||||
if exists $req->env->{HTTPS_REDIRECT};
|
||||
$class->tsv->{port}->{$vhost} = $req->env->{PORT_REDIRECT}
|
||||
if exists $req->env->{PORT_REDIRECT};
|
||||
|
||||
return;
|
||||
}
|
||||
|
|
|
@ -11,9 +11,11 @@ BEGIN {
|
|||
init(
|
||||
'Lemonldap::NG::Handler::Server',
|
||||
{
|
||||
#logLevel => 'debug',
|
||||
#logLevel => 'debug',
|
||||
vhostOptions => {
|
||||
'test3.example.com' => {
|
||||
vhostHttps => 0,
|
||||
vhostPort => 80,
|
||||
vhostDevOpsRulesUrl =>
|
||||
'http://donotuse.example.com/myfile.json',
|
||||
},
|
||||
|
@ -23,6 +25,42 @@ init(
|
|||
|
||||
my $res;
|
||||
|
||||
# Unauthorized queries
|
||||
ok(
|
||||
$res = $client->_get(
|
||||
'/', undef,
|
||||
'test3.example.com', undef,
|
||||
VHOSTTYPE => 'DevOps',
|
||||
RULES_URL => 'http://devops.example.com/file.json'
|
||||
),
|
||||
'Unauthorized query'
|
||||
);
|
||||
ok( $res->[0] == 302, 'Code is 302' ) or explain( $res->[0], 302 );
|
||||
${ $res->[1] }[1] =~ m#http://auth\.example\.com/\?url=(.+?)%#;
|
||||
ok( decode_base64 $1 eq 'http://test3.example.com/', 'Redirect URL found' )
|
||||
or explain( decode_base64 $1, 'http://test3.example.com/' );
|
||||
count(3);
|
||||
|
||||
Time::Fake->offset("+700s");
|
||||
|
||||
ok(
|
||||
$res = $client->_get(
|
||||
'/', undef,
|
||||
'test3.example.com', undef,
|
||||
HTTPS_REDIRECT => 'on',
|
||||
PORT_REDIRECT => 8443,
|
||||
VHOSTTYPE => 'DevOps',
|
||||
RULES_URL => 'http://devops.example.com/file.json'
|
||||
),
|
||||
'Unauthorized query 2'
|
||||
);
|
||||
ok( $res->[0] == 302, 'Code is 302' ) or explain( $res->[0], 302 );
|
||||
${ $res->[1] }[1] =~ m#http://auth\.example\.com/\?url=(.+?)%#;
|
||||
ok( decode_base64 $1 eq 'https://test3.example.com:8443/',
|
||||
'Redirect URL found' )
|
||||
or explain( decode_base64 $1, 'https://test3.example.com:8443/' );
|
||||
count(3);
|
||||
|
||||
# Authorized queries
|
||||
ok(
|
||||
$res = $client->_get(
|
||||
|
|
Loading…
Reference in New Issue