Merge remote-tracking branch 'origin/v2.0'
This commit is contained in:
commit
f3a37d2387
|
@ -791,7 +791,11 @@ sub sendHtml {
|
|||
'Expires' => '0'; # Proxies
|
||||
|
||||
my @cors = split /;/, $self->cors;
|
||||
push @{ $res->[1] }, @cors if $self->conf->{corsEnabled};
|
||||
if ( $self->conf->{corsEnabled} ) {
|
||||
push @{ $res->[1] }, @cors;
|
||||
$self->logger->debug(
|
||||
"Apply following CORS policy : " . Data::Dumper::Dumper(\@cors) );
|
||||
}
|
||||
|
||||
# Set authorized URL for POST
|
||||
my $csp = $self->csp . "form-action " . $self->conf->{cspFormAction};
|
||||
|
|
|
@ -60,7 +60,7 @@ sub init {
|
|||
sub check {
|
||||
my ( $self, $req ) = @_;
|
||||
my ( $attrs, $array_attrs, $array_hdrs ) = ( {}, [], [] );
|
||||
my $msg = my $auth = '';
|
||||
my $msg = my $auth = my $compute = '';
|
||||
|
||||
# Check token
|
||||
if ( $self->ottRule->( $req, {} ) ) {
|
||||
|
@ -134,6 +134,7 @@ sub check {
|
|||
|
||||
# Try to retrieve session from sessions DB
|
||||
$self->userLogger->notice('Try to retrieve session from DB...');
|
||||
$self->logger->debug('Try to retrieve session from DB...');
|
||||
my $moduleOptions = $self->conf->{globalStorageOptions} || {};
|
||||
$moduleOptions->{backend} = $self->conf->{globalStorage};
|
||||
my $sessions =
|
||||
|
@ -152,7 +153,10 @@ sub check {
|
|||
$req->{user} = $user;
|
||||
$self->userLogger->notice(
|
||||
"NO session found in DB. Compute userData...");
|
||||
$self->logger->debug(
|
||||
"NO session found in DB. Compute userData...");
|
||||
$attrs = $self->_userData($req);
|
||||
$compute = 1;
|
||||
}
|
||||
}
|
||||
|
||||
|
@ -166,6 +170,7 @@ sub check {
|
|||
$self->{conf}->{impersonationMergeSSOgroups}
|
||||
? 'checkUserMerged'
|
||||
: 'checkUser';
|
||||
$msg = 'checkUserComputeSession' if $compute;
|
||||
|
||||
# Create an array of hashes for template loop
|
||||
$self->logger->debug("Delete hidden or empty attributes");
|
||||
|
@ -197,18 +202,17 @@ sub check {
|
|||
$url = $self->_urlFormat($url);
|
||||
|
||||
# User is allowed ?
|
||||
$auth = $self->_authorization( $req, $url );
|
||||
$self->logger->debug(
|
||||
"checkUser requested for user: $req->{user} and URL: $url");
|
||||
"checkUser requested for user: $attrs->{ $self->{conf}->{whatToTrace} } and URL: $url");
|
||||
$auth = $self->_authorization( $req, $url, $attrs );
|
||||
if ( $auth >= 0 ) {
|
||||
|
||||
$auth = $auth ? "allowed" : "forbidden";
|
||||
$self->userLogger->notice( "checkUser -> $req->{user} is "
|
||||
$self->userLogger->notice( "checkUser -> $attrs->{ $self->{conf}->{whatToTrace} } is "
|
||||
. uc($auth)
|
||||
. " to access: $url" );
|
||||
|
||||
# Return VirtualHost headers
|
||||
$array_hdrs = $self->_headers( $req, $url );
|
||||
$array_hdrs = $self->_headers( $req, $url, $attrs );
|
||||
}
|
||||
else {
|
||||
$auth = 'VHnotFound';
|
||||
|
@ -254,6 +258,7 @@ sub display {
|
|||
my ( $self, $req ) = @_;
|
||||
my ( $attrs, $array_attrs ) = ( {}, [] );
|
||||
|
||||
$self->logger->debug("Display current session data...");
|
||||
$self->userLogger->notice("Retrieve session from Sessions database");
|
||||
$self->userLogger->warn("Using spoofed SSO groups if exist!!!")
|
||||
if ( $self->conf->{impersonationRule} );
|
||||
|
@ -317,7 +322,6 @@ sub _urlFormat {
|
|||
$vhost =~ s/:\d+$//;
|
||||
$vhost .= $self->conf->{domain} unless ( $vhost =~ /\./ );
|
||||
|
||||
#$appuri ||= '/';
|
||||
return lc("$proto$vhost$port") . "$appuri";
|
||||
}
|
||||
|
||||
|
@ -341,6 +345,13 @@ sub _userData {
|
|||
return $req->error($error);
|
||||
}
|
||||
|
||||
unless ( defined $req->sessionInfo->{uid} ) {
|
||||
|
||||
# Avoid error with SAML, OIDC, etc...
|
||||
$self->logger->debug("\"$req->{user}\" NOT found in userDB");
|
||||
return $req->error(PE_BADCREDENTIALS);
|
||||
}
|
||||
|
||||
# Check identities rule
|
||||
unless ( $self->idRule->( $req, $req->sessionInfo ) ) {
|
||||
$self->userLogger->warn(
|
||||
|
@ -349,18 +360,13 @@ sub _userData {
|
|||
$self->logger->debug('Identity not authorized');
|
||||
return $req->error(PE_BADCREDENTIALS);
|
||||
}
|
||||
unless ( defined $req->sessionInfo->{uid} ) {
|
||||
|
||||
# Avoid error with SAML, OIDC, etc...
|
||||
$self->logger->debug("\"$req->{user}\" NOT found in userDB");
|
||||
return $req->error(PE_BADCREDENTIALS);
|
||||
}
|
||||
$self->logger->debug("Return \"$req->{user}\" sessionInfo");
|
||||
return $req->{sessionInfo};
|
||||
}
|
||||
|
||||
sub _authorization {
|
||||
my ( $self, $req, $uri ) = @_;
|
||||
my ( $self, $req, $uri, $attrs ) = @_;
|
||||
my ( $vhost, $appuri ) = $uri =~ m#^https?://([^/]*)(.*)#;
|
||||
my $exist = 0;
|
||||
|
||||
|
@ -373,23 +379,22 @@ sub _authorization {
|
|||
}
|
||||
}
|
||||
|
||||
$self->logger->debug("Return \"$req->{user}\" authorization");
|
||||
$self->logger->debug("Return \"$attrs->{ $self->{conf}->{whatToTrace} }\" authorization");
|
||||
return $exist
|
||||
? $self->p->HANDLER->grant( $req, $req->{userData}, $appuri,
|
||||
? $self->p->HANDLER->grant( $req, $attrs, $appuri,
|
||||
undef, $vhost )
|
||||
: -1;
|
||||
}
|
||||
|
||||
sub _headers {
|
||||
my ( $self, $req, $uri ) = @_;
|
||||
my ( $self, $req, $uri, $attrs ) = @_;
|
||||
my ($vhost) = $uri =~ m#^https?://([^/]*).*#;
|
||||
|
||||
$vhost =~ s/:\d+$//;
|
||||
$req->{env}->{HTTP_HOST} = $vhost;
|
||||
$self->p->HANDLER->headersInit( $self->{conf} );
|
||||
|
||||
$self->logger->debug("Return \"$req->{user}\" headers");
|
||||
return $self->p->HANDLER->checkHeaders( $req, $req->{userData} );
|
||||
$self->logger->debug("Return \"$attrs->{ $self->{conf}->{whatToTrace} }\" headers");
|
||||
return $self->p->HANDLER->checkHeaders( $req, $attrs );
|
||||
}
|
||||
|
||||
sub _splitAttributes {
|
||||
|
|
|
@ -109,6 +109,7 @@
|
|||
"checkLastLogins":"تحقق من آخر تسجيلات دخول الخاصة بي",
|
||||
"checkUser":"Check user SSO profile",
|
||||
"checkUserMerged":"Check user SSO profile. Real and Spoofed SSO groups are merged!!!",
|
||||
"checkUserComputeSession":"Computed session data!!!",
|
||||
"choose2f":"Choose your second factor",
|
||||
"chooseApp":"اختر أحد التطبيقات المسموح لك بالدخول إليها",
|
||||
"clickHere":"الرجاء الضغط هنا",
|
||||
|
|
|
@ -109,6 +109,7 @@
|
|||
"checkLastLogins":"Überprüfe meine letzten Logins",
|
||||
"checkUser":"Check user SSO profile",
|
||||
"checkUserMerged":"Check user SSO profile. Real and Spoofed SSO groups are merged!!!",
|
||||
"checkUserComputeSession":"Computed session data!!!",
|
||||
"choose2f":"Wählen deinen Ihren zweiten Faktor",
|
||||
"chooseApp":"Wählen Sie eine Anwendung aus, auf die du zugreifen darfst",
|
||||
"clickHere":"Bitte hier klicken",
|
||||
|
|
|
@ -109,6 +109,7 @@
|
|||
"checkLastLogins":"Check my last logins",
|
||||
"checkUser":"Check user SSO profile",
|
||||
"checkUserMerged":"Check user SSO profile. Real and Spoofed SSO groups are merged!!!",
|
||||
"checkUserComputeSession":"Computed session data!!!",
|
||||
"choose2f":"Choose your second factor",
|
||||
"chooseApp":"Choose an application your are allowed to access to",
|
||||
"clickHere":"Please click here",
|
||||
|
|
|
@ -109,6 +109,7 @@
|
|||
"checkLastLogins":"Check my last logins",
|
||||
"checkUser":"Check user SSO profile",
|
||||
"checkUserMerged":"Check user SSO profile. Real and Spoofed SSO groups are merged!!!",
|
||||
"checkUserComputeSession":"Computed session data!!!",
|
||||
"choose2f":"Choose your second factor",
|
||||
"chooseApp":"Choose an application your are allowed to access to",
|
||||
"clickHere":"Please click here",
|
||||
|
|
|
@ -109,6 +109,7 @@
|
|||
"checkLastLogins":"Tarkista viimeiset kirjautumiseni",
|
||||
"checkUser":"Check user SSO profile",
|
||||
"checkUserMerged":"Check user SSO profile. Real and Spoofed SSO groups are merged!!!",
|
||||
"checkUserComputeSession":"Computed session data!!!",
|
||||
"choose2f":"Choose your second factor",
|
||||
"chooseApp":"Choose an application your are allowed to access to",
|
||||
"clickHere":"Please click here",
|
||||
|
|
|
@ -109,6 +109,7 @@
|
|||
"checkLastLogins":"Voir mes dernières connexions",
|
||||
"checkUser":"Vérifier le profil SSO d'un utilisateur",
|
||||
"checkUserMerged":"Vérifier le profil SSO d'un utilisateur. Les groupes SSO réels et usurpés sont fusionnés !!!",
|
||||
"checkUserComputeSession":"Données de session issues d'une évaluation !!!",
|
||||
"choose2f":"Choisissez votre second facteur",
|
||||
"chooseApp":"Choisissez une application à laquelle vous êtes autorisé à accéder",
|
||||
"clickHere":"Cliquez ici",
|
||||
|
|
|
@ -109,6 +109,7 @@
|
|||
"checkLastLogins":"Controllare i miei ultimi accessi",
|
||||
"checkUser":"Controlla il profilo SSO dell'utente",
|
||||
"checkUserMerged":"Check user SSO profile. Real and Spoofed SSO groups are merged!!!",
|
||||
"checkUserComputeSession":"Computed session data!!!",
|
||||
"choose2f":"Scegli il tuo secondo fattore",
|
||||
"chooseApp":"Scegli un'applicazione alla quale ti è consentito l'accesso",
|
||||
"clickHere":"Per favore clicka qui",
|
||||
|
|
|
@ -109,6 +109,7 @@
|
|||
"checkLastLogins":"Check my last logins",
|
||||
"checkUser":"Check user SSO profile",
|
||||
"checkUserMerged":"Check user SSO profile. Real and Spoofed SSO groups are merged!!!",
|
||||
"checkUserComputeSession":"Computed session data!!!",
|
||||
"choose2f":"Choose your second factor",
|
||||
"chooseApp":"Choose an application your are allowed to access to",
|
||||
"clickHere":"Please click here",
|
||||
|
|
|
@ -109,6 +109,7 @@
|
|||
"checkLastLogins":"Check my last logins",
|
||||
"checkUser":"Check user SSO profile",
|
||||
"checkUserMerged":"Check user SSO profile. Real and Spoofed SSO groups are merged!!!",
|
||||
"checkUserComputeSession":"Computed session data!!!",
|
||||
"choose2f":"Choose your second factor",
|
||||
"chooseApp":"Choose an application your are allowed to access to",
|
||||
"clickHere":"Please click here",
|
||||
|
|
|
@ -109,6 +109,7 @@
|
|||
"checkLastLogins":"Check my last logins",
|
||||
"checkUser":"Check user SSO profile",
|
||||
"checkUserMerged":"Check user SSO profile. Real and Spoofed SSO groups are merged!!!",
|
||||
"checkUserComputeSession":"Computed session data!!!",
|
||||
"choose2f":"Choose your second factor",
|
||||
"chooseApp":"Choose an application your are allowed to access to",
|
||||
"clickHere":"Please click here",
|
||||
|
|
|
@ -109,6 +109,7 @@
|
|||
"checkLastLogins":"Kiểm tra lần đăng nhập cuối cùng của bạn",
|
||||
"checkUser":"Check user SSO profile",
|
||||
"checkUserMerged":"Check user SSO profile. Real and Spoofed SSO groups are merged!!!",
|
||||
"checkUserComputeSession":"Computed session data!!!",
|
||||
"choose2f":"Choose your second factor",
|
||||
"chooseApp":"Chọn một ứng dụng bạn được phép truy cập vào",
|
||||
"clickHere":"Vui lòng nhấp vào đây",
|
||||
|
|
|
@ -109,6 +109,7 @@
|
|||
"checkLastLogins":"Check my last logins",
|
||||
"checkUser":"Check user SSO profile",
|
||||
"checkUserMerged":"Check user SSO profile. Real and Spoofed SSO groups are merged!!!",
|
||||
"checkUserComputeSession":"Computed session data!!!",
|
||||
"choose2f":"Choose your second factor",
|
||||
"chooseApp":"Choose an application your are allowed to access to",
|
||||
"clickHere":"请点击这里",
|
||||
|
|
|
@ -105,8 +105,8 @@ count(1);
|
|||
|
||||
( $host, $url, $query ) =
|
||||
expectForm( $res, undef, '/checkuser', 'user', 'url', 'token' );
|
||||
ok( $res->[2]->[0] =~ m%<span trspan="checkUser">%, 'Found trspan="checkUser"' )
|
||||
or explain( $res->[2]->[0], 'trspan="checkUser"' );
|
||||
ok( $res->[2]->[0] =~ m%<span trspan="checkUserComputeSession">%, 'Found trspan="checkUserComputeSession"' )
|
||||
or explain( $res->[2]->[0], 'trspan="checkUserComputeSession"' );
|
||||
ok(
|
||||
$res->[2]->[0] =~
|
||||
m%<div class="alert alert-success"><b><span trspan="allowed"></span></b></div>%,
|
||||
|
|
|
@ -267,7 +267,7 @@ SKIP: {
|
|||
or explain( $res->[2]->[0], 'Value french' );
|
||||
count(4);
|
||||
|
||||
# CheckUser request with unknown user
|
||||
# CheckUser request with an unknown user
|
||||
$query =~ s/user=french/user=rtyler/;
|
||||
ok(
|
||||
$res = $sp->_post(
|
||||
|
@ -286,7 +286,7 @@ m%<div class="message message-positive alert"><span trspan="PE5"></span></div>%,
|
|||
) or explain( $res->[2]->[0], 'PE5 - Unknown identity' );
|
||||
count(2);
|
||||
|
||||
# CheckUser request with an already authneticated user
|
||||
# CheckUser request with an already authenticated user
|
||||
$query =~ s/user=rtyler/user=davros/;
|
||||
ok(
|
||||
$res = $sp->_post(
|
||||
|
|
|
@ -105,8 +105,10 @@ count(1);
|
|||
|
||||
( $host, $url, $query ) =
|
||||
expectForm( $res, undef, '/checkuser', 'user', 'url', 'token' );
|
||||
ok( $res->[2]->[0] =~ m%<span trspan="checkUser">%, 'Found trspan="checkUser"' )
|
||||
or explain( $res->[2]->[0], 'trspan="checkUser"' );
|
||||
ok(
|
||||
$res->[2]->[0] =~ m%<span trspan="checkUserComputeSession">%,
|
||||
'Found trspan="checkUserComputeSession"'
|
||||
) or explain( $res->[2]->[0], 'trspan="checkUserComputeSession"' );
|
||||
ok(
|
||||
$res->[2]->[0] =~
|
||||
m%<div class="alert alert-success"><b><span trspan="allowed"></span></b></div>%,
|
||||
|
|
|
@ -144,6 +144,7 @@ ok( $res->[2]->[0] =~ m%<td class="align-middle">dwho</td>%, 'Found dwho' )
|
|||
or explain( $res->[2]->[0], 'Macro Value dwho' );
|
||||
count(3);
|
||||
|
||||
# Request with bad VH
|
||||
$query =~ s/user=dwho/user=rtyler/;
|
||||
$query =~ s/url=http%3A%2F%2Ftest1.example.com/url=http%3A%2F%2Ftry.example.com/;
|
||||
ok(
|
||||
|
@ -157,8 +158,6 @@ ok(
|
|||
'POST checkuser'
|
||||
);
|
||||
count(1);
|
||||
|
||||
# Request with bad VH
|
||||
( $host, $url, $query ) =
|
||||
expectForm( $res, undef, '/checkuser', 'user', 'url' );
|
||||
ok( $res->[2]->[0] =~ m%<span trspan="VHnotFound">%,
|
||||
|
@ -166,10 +165,30 @@ ok( $res->[2]->[0] =~ m%<span trspan="VHnotFound">%,
|
|||
or explain( $res->[2]->[0], 'trspan="VHnotFound"' );
|
||||
count(1);
|
||||
|
||||
# Request with forbidden URL
|
||||
$query =~ s#url=http%3A%2F%2Ftry.example.com#url=http%3A%2F%2Fauth.example.com/checkuser#;
|
||||
ok(
|
||||
$res = $client->_post(
|
||||
'/checkuser',
|
||||
IO::String->new($query),
|
||||
cookie => "lemonldap=$id",
|
||||
length => length($query),
|
||||
accept => 'text/html',
|
||||
),
|
||||
'POST checkuser'
|
||||
);
|
||||
( $host, $url, $query ) =
|
||||
expectForm( $res, undef, '/checkuser', 'user', 'url' );
|
||||
ok(
|
||||
$res->[2]->[0] =~
|
||||
m%<div class="alert alert-danger"><b><span trspan="forbidden"></span></b></div>%,
|
||||
'Found trspan="forbidden"'
|
||||
) or explain( $res->[2]->[0], 'trspan="forbidden"' );
|
||||
count(2);
|
||||
|
||||
# Request with good VH & user
|
||||
$query =~
|
||||
s#url=http%3A%2F%2Ftry.example.com#url=hTTp%3A%2F%2FTest1.exAmple.cOm/UriTesT#;
|
||||
|
||||
s#url=http%3A%2F%2Fauth.example.com%2Fcheckuser#url=hTTp%3A%2F%2FTest1.exAmple.cOm/UriTesT#;
|
||||
ok(
|
||||
$res = $client->_post(
|
||||
'/checkuser',
|
||||
|
@ -222,6 +241,10 @@ ok( $res->[2]->[0] =~ m%<td class="text-left">uid</td>%, 'Found uid' )
|
|||
or explain( $res->[2]->[0], 'Attribute Value uid' );
|
||||
count(11);
|
||||
|
||||
my @c = ( $res->[2]->[0] =~ /<td class="align-middle">rtyler/gs );
|
||||
ok( @c == 2, ' -> Two entries found' );
|
||||
count(1);
|
||||
|
||||
# Request with short VH url & user
|
||||
$query =~
|
||||
s#url=http%3A%2F%2Ftest1.example.com%2FUriTesT#url=http%3A%2F%2Ftest1:1234#;
|
||||
|
|
Loading…
Reference in New Issue