dani
/
lemonldap-ng
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Merge remote-tracking branch 'origin/v2.0'

This commit is contained in:
Christophe Maudoux 2019-06-04 23:26:19 +02:00
parent ee661fc61d 59637200fd
commit f3a37d2387
18 changed files with 76 additions and 30 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Main/Run.pm
View File

@ -791,7 +791,11 @@ sub sendHtml {
'Expires' => '0'; # Proxies
my @cors = split /;/, $self->cors;
push @{ $res->[1] }, @cors if $self->conf->{corsEnabled};
if ( $self->conf->{corsEnabled} ) {
push @{ $res->[1] }, @cors;
$self->logger->debug(
"Apply following CORS policy : " . Data::Dumper::Dumper(\@cors) );
}
# Set authorized URL for POST
my $csp = $self->csp . "form-action " . $self->conf->{cspFormAction};

43
lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Plugins/CheckUser.pm
View File

@ -60,7 +60,7 @@ sub init {
sub check {
my ( $self, $req ) = @_;
my ( $attrs, $array_attrs, $array_hdrs ) = ( {}, [], [] );
my $msg = my $auth = '';
my $msg = my $auth = my $compute = '';
# Check token
if ( $self->ottRule->( $req, {} ) ) {
@ -134,6 +134,7 @@ sub check {
# Try to retrieve session from sessions DB
$self->userLogger->notice('Try to retrieve session from DB...');
$self->logger->debug('Try to retrieve session from DB...');
my $moduleOptions = $self->conf->{globalStorageOptions} || {};
$moduleOptions->{backend} = $self->conf->{globalStorage};
my $sessions =
@ -152,7 +153,10 @@ sub check {
$req->{user} = $user;
$self->userLogger->notice(
"NO session found in DB. Compute userData...");
$self->logger->debug(
"NO session found in DB. Compute userData...");
$attrs = $self->_userData($req);
$compute = 1;
}
}
@ -166,6 +170,7 @@ sub check {
$self->{conf}->{impersonationMergeSSOgroups}
? 'checkUserMerged'
: 'checkUser';
$msg = 'checkUserComputeSession' if $compute;
# Create an array of hashes for template loop
$self->logger->debug("Delete hidden or empty attributes");
@ -197,18 +202,17 @@ sub check {
$url = $self->_urlFormat($url);
# User is allowed ?
$auth = $self->_authorization( $req, $url );
$self->logger->debug(
"checkUser requested for user: $req->{user} and URL: $url");
"checkUser requested for user: $attrs->{ $self->{conf}->{whatToTrace} } and URL: $url");
$auth = $self->_authorization( $req, $url, $attrs );
if ( $auth >= 0 ) {
$auth = $auth ? "allowed" : "forbidden";
$self->userLogger->notice( "checkUser -> $req->{user} is "
$self->userLogger->notice( "checkUser -> $attrs->{ $self->{conf}->{whatToTrace} } is "
. uc($auth)
. " to access: $url" );
# Return VirtualHost headers
$array_hdrs = $self->_headers( $req, $url );
$array_hdrs = $self->_headers( $req, $url, $attrs );
}
else {
$auth = 'VHnotFound';
@ -254,6 +258,7 @@ sub display {
my ( $self, $req ) = @_;
my ( $attrs, $array_attrs ) = ( {}, [] );
$self->logger->debug("Display current session data...");
$self->userLogger->notice("Retrieve session from Sessions database");
$self->userLogger->warn("Using spoofed SSO groups if exist!!!")
if ( $self->conf->{impersonationRule} );
@ -317,7 +322,6 @@ sub _urlFormat {
$vhost =~ s/:\d+$//;
$vhost .= $self->conf->{domain} unless ( $vhost =~ /\./ );
#$appuri ||= '/';
return lc("$proto$vhost$port") . "$appuri";
}
@ -341,6 +345,13 @@ sub _userData {
return $req->error($error);
}
unless ( defined $req->sessionInfo->{uid} ) {
# Avoid error with SAML, OIDC, etc...
$self->logger->debug("\"$req->{user}\" NOT found in userDB");
return $req->error(PE_BADCREDENTIALS);
}
# Check identities rule
unless ( $self->idRule->( $req, $req->sessionInfo ) ) {
$self->userLogger->warn(
@ -349,18 +360,13 @@ sub _userData {
$self->logger->debug('Identity not authorized');
return $req->error(PE_BADCREDENTIALS);
}
unless ( defined $req->sessionInfo->{uid} ) {
# Avoid error with SAML, OIDC, etc...
$self->logger->debug("\"$req->{user}\" NOT found in userDB");
return $req->error(PE_BADCREDENTIALS);
}
$self->logger->debug("Return \"$req->{user}\" sessionInfo");
return $req->{sessionInfo};
}
sub _authorization {
my ( $self, $req, $uri ) = @_;
my ( $self, $req, $uri, $attrs ) = @_;
my ( $vhost, $appuri ) = $uri =~ m#^https?://([^/]*)(.*)#;
my $exist = 0;
@ -373,23 +379,22 @@ sub _authorization {
}
}
$self->logger->debug("Return \"$req->{user}\" authorization");
$self->logger->debug("Return \"$attrs->{ $self->{conf}->{whatToTrace} }\" authorization");
return $exist
? $self->p->HANDLER->grant( $req, $req->{userData}, $appuri,
? $self->p->HANDLER->grant( $req, $attrs, $appuri,
undef, $vhost )
: -1;
}
sub _headers {
my ( $self, $req, $uri ) = @_;
my ( $self, $req, $uri, $attrs ) = @_;
my ($vhost) = $uri =~ m#^https?://([^/]*).*#;
$vhost =~ s/:\d+$//;
$req->{env}->{HTTP_HOST} = $vhost;
$self->p->HANDLER->headersInit( $self->{conf} );
$self->logger->debug("Return \"$req->{user}\" headers");
return $self->p->HANDLER->checkHeaders( $req, $req->{userData} );
$self->logger->debug("Return \"$attrs->{ $self->{conf}->{whatToTrace} }\" headers");
return $self->p->HANDLER->checkHeaders( $req, $attrs );
}
sub _splitAttributes {

1
lemonldap-ng-portal/site/htdocs/static/languages/ar.json
View File

@ -109,6 +109,7 @@
"checkLastLogins":"تحقق من آخر تسجيلات دخول الخاصة بي",
"checkUser":"Check user SSO profile",
"checkUserMerged":"Check user SSO profile. Real and Spoofed SSO groups are merged!!!",
"checkUserComputeSession":"Computed session data!!!",
"choose2f":"Choose your second factor",
"chooseApp":"اختر أحد التطبيقات المسموح لك بالدخول إليها",
"clickHere":"الرجاء الضغط هنا",

1
lemonldap-ng-portal/site/htdocs/static/languages/de.json
View File

@ -109,6 +109,7 @@
"checkLastLogins":"Überprüfe meine letzten Logins",
"checkUser":"Check user SSO profile",
"checkUserMerged":"Check user SSO profile. Real and Spoofed SSO groups are merged!!!",
"checkUserComputeSession":"Computed session data!!!",
"choose2f":"Wählen deinen Ihren zweiten Faktor",
"chooseApp":"Wählen Sie eine Anwendung aus, auf die du zugreifen darfst",
"clickHere":"Bitte hier klicken",

1
lemonldap-ng-portal/site/htdocs/static/languages/en.json
View File

@ -109,6 +109,7 @@
"checkLastLogins":"Check my last logins",
"checkUser":"Check user SSO profile",
"checkUserMerged":"Check user SSO profile. Real and Spoofed SSO groups are merged!!!",
"checkUserComputeSession":"Computed session data!!!",
"choose2f":"Choose your second factor",
"chooseApp":"Choose an application your are allowed to access to",
"clickHere":"Please click here",

1
lemonldap-ng-portal/site/htdocs/static/languages/es.json
View File

@ -109,6 +109,7 @@
"checkLastLogins":"Check my last logins",
"checkUser":"Check user SSO profile",
"checkUserMerged":"Check user SSO profile. Real and Spoofed SSO groups are merged!!!",
"checkUserComputeSession":"Computed session data!!!",
"choose2f":"Choose your second factor",
"chooseApp":"Choose an application your are allowed to access to",
"clickHere":"Please click here",

1
lemonldap-ng-portal/site/htdocs/static/languages/fi.json
View File

@ -109,6 +109,7 @@
"checkLastLogins":"Tarkista viimeiset kirjautumiseni",
"checkUser":"Check user SSO profile",
"checkUserMerged":"Check user SSO profile. Real and Spoofed SSO groups are merged!!!",
"checkUserComputeSession":"Computed session data!!!",
"choose2f":"Choose your second factor",
"chooseApp":"Choose an application your are allowed to access to",
"clickHere":"Please click here",

1
lemonldap-ng-portal/site/htdocs/static/languages/fr.json
View File

@ -109,6 +109,7 @@
"checkLastLogins":"Voir mes dernières connexions",
"checkUser":"Vérifier le profil SSO d'un utilisateur",
"checkUserMerged":"Vérifier le profil SSO d'un utilisateur. Les groupes SSO réels et usurpés sont fusionnés !!!",
"checkUserComputeSession":"Données de session issues d'une évaluation !!!",
"choose2f":"Choisissez votre second facteur",
"chooseApp":"Choisissez une application à laquelle vous êtes autorisé à accéder",
"clickHere":"Cliquez ici",

1
lemonldap-ng-portal/site/htdocs/static/languages/it.json
View File

@ -109,6 +109,7 @@
"checkLastLogins":"Controllare i miei ultimi accessi",
"checkUser":"Controlla il profilo SSO dell'utente",
"checkUserMerged":"Check user SSO profile. Real and Spoofed SSO groups are merged!!!",
"checkUserComputeSession":"Computed session data!!!",
"choose2f":"Scegli il tuo secondo fattore",
"chooseApp":"Scegli un'applicazione alla quale ti è consentito l'accesso",
"clickHere":"Per favore clicka qui",

1
lemonldap-ng-portal/site/htdocs/static/languages/nl.json
View File

@ -109,6 +109,7 @@
"checkLastLogins":"Check my last logins",
"checkUser":"Check user SSO profile",
"checkUserMerged":"Check user SSO profile. Real and Spoofed SSO groups are merged!!!",
"checkUserComputeSession":"Computed session data!!!",
"choose2f":"Choose your second factor",
"chooseApp":"Choose an application your are allowed to access to",
"clickHere":"Please click here",

1
lemonldap-ng-portal/site/htdocs/static/languages/pt.json
View File

@ -109,6 +109,7 @@
"checkLastLogins":"Check my last logins",
"checkUser":"Check user SSO profile",
"checkUserMerged":"Check user SSO profile. Real and Spoofed SSO groups are merged!!!",
"checkUserComputeSession":"Computed session data!!!",
"choose2f":"Choose your second factor",
"chooseApp":"Choose an application your are allowed to access to",
"clickHere":"Please click here",

1
lemonldap-ng-portal/site/htdocs/static/languages/ro.json
View File

@ -109,6 +109,7 @@
"checkLastLogins":"Check my last logins",
"checkUser":"Check user SSO profile",
"checkUserMerged":"Check user SSO profile. Real and Spoofed SSO groups are merged!!!",
"checkUserComputeSession":"Computed session data!!!",
"choose2f":"Choose your second factor",
"chooseApp":"Choose an application your are allowed to access to",
"clickHere":"Please click here",

1
lemonldap-ng-portal/site/htdocs/static/languages/vi.json
View File

@ -109,6 +109,7 @@
"checkLastLogins":"Kiểm tra lần đăng nhập cuối cùng của bạn",
"checkUser":"Check user SSO profile",
"checkUserMerged":"Check user SSO profile. Real and Spoofed SSO groups are merged!!!",
"checkUserComputeSession":"Computed session data!!!",
"choose2f":"Choose your second factor",
"chooseApp":"Chọn một ứng dụng bạn được phép truy cập vào",
"clickHere":"Vui lòng nhấp vào đây",

1
lemonldap-ng-portal/site/htdocs/static/languages/zh.json
View File

@ -109,6 +109,7 @@
"checkLastLogins":"Check my last logins",
"checkUser":"Check user SSO profile",
"checkUserMerged":"Check user SSO profile. Real and Spoofed SSO groups are merged!!!",
"checkUserComputeSession":"Computed session data!!!",
"choose2f":"Choose your second factor",
"chooseApp":"Choose an application your are allowed to access to",
"clickHere":"请点击这里",

4
lemonldap-ng-portal/t/67-CheckUser-with-Global-token.t
View File

@ -105,8 +105,8 @@ count(1);
( $host, $url, $query ) =
expectForm( $res, undef, '/checkuser', 'user', 'url', 'token' );
ok( $res->[2]->[0] =~ m%<span trspan="checkUser">%, 'Found trspan="checkUser"' )
or explain( $res->[2]->[0], 'trspan="checkUser"' );
ok( $res->[2]->[0] =~ m%<span trspan="checkUserComputeSession">%, 'Found trspan="checkUserComputeSession"' )
or explain( $res->[2]->[0], 'trspan="checkUserComputeSession"' );
ok(
$res->[2]->[0] =~
m%<div class="alert alert-success"><b><span trspan="allowed"></span></b></div>%,

4
lemonldap-ng-portal/t/67-CheckUser-with-issuer-SAML-POST.t
View File

@ -267,7 +267,7 @@ SKIP: {
or explain( $res->[2]->[0], 'Value french' );
count(4);
# CheckUser request with unknown user
# CheckUser request with an unknown user
$query =~ s/user=french/user=rtyler/;
ok(
$res = $sp->_post(
@ -286,7 +286,7 @@ m%<div class="message message-positive alert"><span trspan="PE5"></span></div>%,
) or explain( $res->[2]->[0], 'PE5 - Unknown identity' );
count(2);
# CheckUser request with an already authneticated user
# CheckUser request with an already authenticated user
$query =~ s/user=rtyler/user=davros/;
ok(
$res = $sp->_post(

6
lemonldap-ng-portal/t/67-CheckUser-with-token.t
View File

@ -105,8 +105,10 @@ count(1);
( $host, $url, $query ) =
expectForm( $res, undef, '/checkuser', 'user', 'url', 'token' );
ok( $res->[2]->[0] =~ m%<span trspan="checkUser">%, 'Found trspan="checkUser"' )
or explain( $res->[2]->[0], 'trspan="checkUser"' );
ok(
$res->[2]->[0] =~ m%<span trspan="checkUserComputeSession">%,
'Found trspan="checkUserComputeSession"'
) or explain( $res->[2]->[0], 'trspan="checkUserComputeSession"' );
ok(
$res->[2]->[0] =~
m%<div class="alert alert-success"><b><span trspan="allowed"></span></b></div>%,

31
lemonldap-ng-portal/t/67-CheckUser.t
View File

@ -144,6 +144,7 @@ ok( $res->[2]->[0] =~ m%<td class="align-middle">dwho</td>%, 'Found dwho' )
or explain( $res->[2]->[0], 'Macro Value dwho' );
count(3);
# Request with bad VH
$query =~ s/user=dwho/user=rtyler/;
$query =~ s/url=http%3A%2F%2Ftest1.example.com/url=http%3A%2F%2Ftry.example.com/;
ok(
@ -157,8 +158,6 @@ ok(
'POST checkuser'
);
count(1);
# Request with bad VH
( $host, $url, $query ) =
expectForm( $res, undef, '/checkuser', 'user', 'url' );
ok( $res->[2]->[0] =~ m%<span trspan="VHnotFound">%,
@ -166,10 +165,30 @@ ok( $res->[2]->[0] =~ m%<span trspan="VHnotFound">%,
or explain( $res->[2]->[0], 'trspan="VHnotFound"' );
count(1);
# Request with forbidden URL
$query =~ s#url=http%3A%2F%2Ftry.example.com#url=http%3A%2F%2Fauth.example.com/checkuser#;
ok(
$res = $client->_post(
'/checkuser',
IO::String->new($query),
cookie => "lemonldap=$id",
length => length($query),
accept => 'text/html',
),
'POST checkuser'
);
( $host, $url, $query ) =
expectForm( $res, undef, '/checkuser', 'user', 'url' );
ok(
$res->[2]->[0] =~
m%<div class="alert alert-danger"><b><span trspan="forbidden"></span></b></div>%,
'Found trspan="forbidden"'
) or explain( $res->[2]->[0], 'trspan="forbidden"' );
count(2);
# Request with good VH & user
$query =~
s#url=http%3A%2F%2Ftry.example.com#url=hTTp%3A%2F%2FTest1.exAmple.cOm/UriTesT#;
s#url=http%3A%2F%2Fauth.example.com%2Fcheckuser#url=hTTp%3A%2F%2FTest1.exAmple.cOm/UriTesT#;
ok(
$res = $client->_post(
'/checkuser',
@ -222,6 +241,10 @@ ok( $res->[2]->[0] =~ m%<td class="text-left">uid</td>%, 'Found uid' )
or explain( $res->[2]->[0], 'Attribute Value uid' );
count(11);
my @c = ( $res->[2]->[0] =~ /<td class="align-middle">rtyler/gs );
ok( @c == 2, ' -> Two entries found' );
count(1);
# Request with short VH url & user
$query =~
s#url=http%3A%2F%2Ftest1.example.com%2FUriTesT#url=http%3A%2F%2Ftest1:1234#;