From 2da63b7283f0bb9660f71bafac978847ad7d51c6 Mon Sep 17 00:00:00 2001 From: Xavier Guimard Date: Mon, 27 May 2019 16:34:04 +0200 Subject: [PATCH 01/15] Fix bad cache management on configuration saving Closes: #1754 --- lemonldap-ng-common/lib/Lemonldap/NG/Common/Conf.pm | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/lemonldap-ng-common/lib/Lemonldap/NG/Common/Conf.pm b/lemonldap-ng-common/lib/Lemonldap/NG/Common/Conf.pm index 785deba11..6fdeeeef0 100644 --- a/lemonldap-ng-common/lib/Lemonldap/NG/Common/Conf.pm +++ b/lemonldap-ng-common/lib/Lemonldap/NG/Common/Conf.pm @@ -141,7 +141,7 @@ sub saveConf { if ( $self->{refLocalStorage} ) { $self->setDefault($conf); $self->compactConf($conf); - $self->setLocalConf($conf); + eval { Lemonldap::NG::Handler::Main->reload() }; } return ( $self->unlock() ? $tmp : UNKNOWN_ERROR ); From 4d024cf41a1c51bc6e462b97697e214efb4d8a9e Mon Sep 17 00:00:00 2001 From: Christophe Maudoux Date: Sun, 26 May 2019 22:37:59 +0200 Subject: [PATCH 02/15] Append ServiceToken test (#1773) --- .../lib/Lemonldap/NG/Handler/Lib/ServiceToken.pm | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/lemonldap-ng-handler/lib/Lemonldap/NG/Handler/Lib/ServiceToken.pm b/lemonldap-ng-handler/lib/Lemonldap/NG/Handler/Lib/ServiceToken.pm index a1170d84f..51d28bbb3 100644 --- a/lemonldap-ng-handler/lib/Lemonldap/NG/Handler/Lib/ServiceToken.pm +++ b/lemonldap-ng-handler/lib/Lemonldap/NG/Handler/Lib/ServiceToken.pm @@ -18,8 +18,8 @@ sub fetchId { # time:_session_id:vhost1:vhost2,... my ( $t, $_session_id, @vhosts ) = split /:/, $s; - # At least one vhost - unless (@vhosts) { + # $_session_id and at least one vhost + unless (@vhosts and $_session_id) { $class->userLogger->error('Bad service token'); return 0; } From 781f2996033ccec72acc39443da7e48a3cdef292 Mon Sep 17 00:00:00 2001 From: Christophe Maudoux Date: Mon, 27 May 2019 19:58:54 +0200 Subject: [PATCH 03/15] Improve unit test (#1773) --- .../t/65-Lemonldap-NG-Handler-PSGI-ServiceToken.t | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/lemonldap-ng-handler/t/65-Lemonldap-NG-Handler-PSGI-ServiceToken.t b/lemonldap-ng-handler/t/65-Lemonldap-NG-Handler-PSGI-ServiceToken.t index 806dedd09..bff8988a9 100644 --- a/lemonldap-ng-handler/t/65-Lemonldap-NG-Handler-PSGI-ServiceToken.t +++ b/lemonldap-ng-handler/t/65-Lemonldap-NG-Handler-PSGI-ServiceToken.t @@ -28,7 +28,7 @@ init( my $res; my $crypt = Lemonldap::NG::Common::Crypto->new('qwertyui'); -my $token = $crypt->encrypt( join ':', time, $sessionId, 'test1.example.com', 'test2.example.com' ); +my $token = $crypt->encrypt( join ':', time, $sessionId, 'test1.example.com', 'test2.example.com', '*.example.com' ); ok( $res = $client->_get( From b8d242464d3eadbaec0a5f1e5b992f8ac422be26 Mon Sep 17 00:00:00 2001 From: Christophe Maudoux Date: Mon, 27 May 2019 22:40:51 +0200 Subject: [PATCH 04/15] Improve unit tests (#1775) --- lemonldap-ng-portal/t/59-Double-cookies-for-Double-sessions.t | 1 + lemonldap-ng-portal/t/59-Double-cookies-for-a-Single-session.t | 1 + 2 files changed, 2 insertions(+) diff --git a/lemonldap-ng-portal/t/59-Double-cookies-for-Double-sessions.t b/lemonldap-ng-portal/t/59-Double-cookies-for-Double-sessions.t index 9e0fa15a2..b55782d85 100644 --- a/lemonldap-ng-portal/t/59-Double-cookies-for-Double-sessions.t +++ b/lemonldap-ng-portal/t/59-Double-cookies-for-Double-sessions.t @@ -18,6 +18,7 @@ my $client = LLNG::Manager::Test->new( { requireToken => 0, securedCookie => 2, https => 0, + singleSession => 1, } } ); diff --git a/lemonldap-ng-portal/t/59-Double-cookies-for-a-Single-session.t b/lemonldap-ng-portal/t/59-Double-cookies-for-a-Single-session.t index d1372fdb1..25de134f1 100644 --- a/lemonldap-ng-portal/t/59-Double-cookies-for-a-Single-session.t +++ b/lemonldap-ng-portal/t/59-Double-cookies-for-a-Single-session.t @@ -18,6 +18,7 @@ my $client = LLNG::Manager::Test->new( { requireToken => 0, securedCookie => 3, https => 0, + singleSession => 1, } } ); From dece7d8aa01f6e71ab3c3e9a918eb9919d6a80bc Mon Sep 17 00:00:00 2001 From: Christophe Maudoux Date: Mon, 27 May 2019 22:41:51 +0200 Subject: [PATCH 05/15] Allow double sessions for double cookies (#1775) --- .../lib/Lemonldap/NG/Portal/Plugins/SingleSession.pm | 11 ++++++++++- 1 file changed, 10 insertions(+), 1 deletion(-) diff --git a/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Plugins/SingleSession.pm b/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Plugins/SingleSession.pm index 71fb40131..441819fe2 100644 --- a/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Plugins/SingleSession.pm +++ b/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Plugins/SingleSession.pm @@ -17,7 +17,7 @@ sub run { my ( $self, $req ) = @_; my $deleted = []; my $otherSessions = []; - + my $httpSessionId = ''; my $moduleOptions = $self->conf->{globalStorageOptions} || {}; $moduleOptions->{backend} = $self->conf->{globalStorage}; @@ -26,8 +26,17 @@ sub run { $self->conf->{whatToTrace}, $req->{sessionInfo}->{ $self->conf->{whatToTrace} } ); + + if ( $self->conf->{securedCookie} == 2 ){ + $self->logger->debug("Looking for double sessions..."); + foreach my $id ( keys %$sessions ) { + $httpSessionId = $sessions->{$id}->{_session_id} if $sessions->{$id}->{_httpSessionType}; + } + } + foreach my $id ( keys %$sessions ) { next if ( $req->id eq $id ); + next if ( $httpSessionId and $id eq $httpSessionId ); my $session = $self->p->getApacheSession($id) or next; if ( $self->conf->{singleSession} From 455221781f2044407b7cf97e7f6dd27a636bf5f7 Mon Sep 17 00:00:00 2001 From: Christophe Maudoux Date: Mon, 27 May 2019 23:07:18 +0200 Subject: [PATCH 06/15] Modify ServiceToken TTL option (#1773) --- .../lib/Lemonldap/NG/Handler/Lib/ServiceToken.pm | 7 +++++-- .../lib/Lemonldap/NG/Manager/Attributes.pm | 2 +- .../lib/Lemonldap/NG/Manager/Build/Attributes.pm | 2 +- lemonldap-ng-manager/site/htdocs/static/js/conftree.js | 2 +- lemonldap-ng-manager/site/htdocs/static/js/conftree.min.js | 2 +- 5 files changed, 9 insertions(+), 6 deletions(-) diff --git a/lemonldap-ng-handler/lib/Lemonldap/NG/Handler/Lib/ServiceToken.pm b/lemonldap-ng-handler/lib/Lemonldap/NG/Handler/Lib/ServiceToken.pm index 51d28bbb3..b282b4fd0 100644 --- a/lemonldap-ng-handler/lib/Lemonldap/NG/Handler/Lib/ServiceToken.pm +++ b/lemonldap-ng-handler/lib/Lemonldap/NG/Handler/Lib/ServiceToken.pm @@ -19,7 +19,7 @@ sub fetchId { my ( $t, $_session_id, @vhosts ) = split /:/, $s; # $_session_id and at least one vhost - unless (@vhosts and $_session_id) { + unless ( @vhosts and $_session_id ) { $class->userLogger->error('Bad service token'); return 0; } @@ -34,7 +34,10 @@ sub fetchId { # Is token in good interval ? my $localConfig = $class->localConfig; - my $ttl = $localConfig->{vhostOptions}->{$vh}->{vhostServiceTokenTTL} || $class->tsv->{handlerServiceTokenTTL}; + my $ttl = + $localConfig->{vhostOptions}->{$vh}->{vhostServiceTokenTTL} <= 0 + ? $class->tsv->{handlerServiceTokenTTL} + : $localConfig->{vhostOptions}->{$vh}->{vhostServiceTokenTTL}; unless ( $t <= time and $t > time - $ttl ) { $class->userLogger->warn('Expired service token'); return 0; diff --git a/lemonldap-ng-manager/lib/Lemonldap/NG/Manager/Attributes.pm b/lemonldap-ng-manager/lib/Lemonldap/NG/Manager/Attributes.pm index e6b884986..d6dbb37c2 100644 --- a/lemonldap-ng-manager/lib/Lemonldap/NG/Manager/Attributes.pm +++ b/lemonldap-ng-manager/lib/Lemonldap/NG/Manager/Attributes.pm @@ -3558,7 +3558,7 @@ qr/^(?:(?:(?:(?:(?:(?:[a-zA-Z0-9][-a-zA-Z0-9]*)?[a-zA-Z0-9])[.])*(?:[a-zA-Z][-a- 'type' => 'int' }, 'vhostServiceTokenTTL' => { - 'default' => 30, + 'default' => -1, 'type' => 'int' }, 'vhostType' => { diff --git a/lemonldap-ng-manager/lib/Lemonldap/NG/Manager/Build/Attributes.pm b/lemonldap-ng-manager/lib/Lemonldap/NG/Manager/Build/Attributes.pm index 5a82b405f..e1524bbf1 100644 --- a/lemonldap-ng-manager/lib/Lemonldap/NG/Manager/Build/Attributes.pm +++ b/lemonldap-ng-manager/lib/Lemonldap/NG/Manager/Build/Attributes.pm @@ -1698,7 +1698,7 @@ sub attributes { }, vhostServiceTokenTTL => { type => 'int', - default => 30, + default => -1, }, vhostAliases => { type => 'text', }, vhostType => { diff --git a/lemonldap-ng-manager/site/htdocs/static/js/conftree.js b/lemonldap-ng-manager/site/htdocs/static/js/conftree.js index 91cbb5735..0fbe9efe3 100644 --- a/lemonldap-ng-manager/site/htdocs/static/js/conftree.js +++ b/lemonldap-ng-manager/site/htdocs/static/js/conftree.js @@ -1205,7 +1205,7 @@ function templates(tpl,key) { "type" : "int" }, { - "default" : 30, + "default" : -1, "get" : tpl+"s/"+key+"/"+"vhostServiceTokenTTL", "id" : tpl+"s/"+key+"/"+"vhostServiceTokenTTL", "title" : "vhostServiceTokenTTL", diff --git a/lemonldap-ng-manager/site/htdocs/static/js/conftree.min.js b/lemonldap-ng-manager/site/htdocs/static/js/conftree.min.js index a8daead64..7c0c4fa51 100644 --- a/lemonldap-ng-manager/site/htdocs/static/js/conftree.min.js +++ b/lemonldap-ng-manager/site/htdocs/static/js/conftree.min.js @@ -1 +1 @@ -function templates(tpl,key){var ind;var scalarTemplate=function(r){return{id:tpl+"s/"+ind++,title:r,get:tpl+"s/"+key+"/"+r}};switch(tpl){case"casAppMetaDataNode":return[{_nodes:[{get:tpl+"s/"+key+"/"+"casAppMetaDataOptionsService",id:tpl+"s/"+key+"/"+"casAppMetaDataOptionsService",title:"casAppMetaDataOptionsService"},{get:tpl+"s/"+key+"/"+"casAppMetaDataOptionsUserAttribute",id:tpl+"s/"+key+"/"+"casAppMetaDataOptionsUserAttribute",title:"casAppMetaDataOptionsUserAttribute"},{get:tpl+"s/"+key+"/"+"casAppMetaDataOptionsRule",id:tpl+"s/"+key+"/"+"casAppMetaDataOptionsRule",title:"casAppMetaDataOptionsRule"}],id:"casAppMetaDataOptions",title:"casAppMetaDataOptions",type:"simpleInputContainer"},{cnodes:tpl+"s/"+key+"/"+"casAppMetaDataExportedVars",default:[{data:"cn",id:tpl+"s/"+key+"/"+"casAppMetaDataExportedVars/cn",title:"cn",type:"keyText"},{data:"mail",id:tpl+"s/"+key+"/"+"casAppMetaDataExportedVars/mail",title:"mail",type:"keyText"},{data:"uid",id:tpl+"s/"+key+"/"+"casAppMetaDataExportedVars/uid",title:"uid",type:"keyText"}],id:tpl+"s/"+key+"/"+"casAppMetaDataExportedVars",title:"casAppMetaDataExportedVars",type:"keyTextContainer"}];case"casSrvMetaDataNode":return[{cnodes:tpl+"s/"+key+"/"+"casSrvMetaDataExportedVars",default:[{data:"cn",id:tpl+"s/"+key+"/"+"casSrvMetaDataExportedVars/cn",title:"cn",type:"keyText"},{data:"mail",id:tpl+"s/"+key+"/"+"casSrvMetaDataExportedVars/mail",title:"mail",type:"keyText"},{data:"uid",id:tpl+"s/"+key+"/"+"casSrvMetaDataExportedVars/uid",title:"uid",type:"keyText"}],id:tpl+"s/"+key+"/"+"casSrvMetaDataExportedVars",title:"casSrvMetaDataExportedVars",type:"keyTextContainer"},{cnodes:tpl+"s/"+key+"/"+"casSrvMetaDataOptionsProxiedServices",id:tpl+"s/"+key+"/"+"casSrvMetaDataOptionsProxiedServices",title:"casSrvMetaDataOptionsProxiedServices",type:"keyTextContainer"},{_nodes:[{get:tpl+"s/"+key+"/"+"casSrvMetaDataOptionsUrl",id:tpl+"s/"+key+"/"+"casSrvMetaDataOptionsUrl",title:"casSrvMetaDataOptionsUrl"},{default:0,get:tpl+"s/"+key+"/"+"casSrvMetaDataOptionsRenew",id:tpl+"s/"+key+"/"+"casSrvMetaDataOptionsRenew",title:"casSrvMetaDataOptionsRenew",type:"bool"},{default:0,get:tpl+"s/"+key+"/"+"casSrvMetaDataOptionsGateway",id:tpl+"s/"+key+"/"+"casSrvMetaDataOptionsGateway",title:"casSrvMetaDataOptionsGateway",type:"bool"}],id:"casSrvMetaDataOptions",title:"casSrvMetaDataOptions",type:"simpleInputContainer"},{_nodes:[{get:tpl+"s/"+key+"/"+"casSrvMetaDataOptionsDisplayName",id:tpl+"s/"+key+"/"+"casSrvMetaDataOptionsDisplayName",title:"casSrvMetaDataOptionsDisplayName"},{get:tpl+"s/"+key+"/"+"casSrvMetaDataOptionsIcon",id:tpl+"s/"+key+"/"+"casSrvMetaDataOptionsIcon",title:"casSrvMetaDataOptionsIcon"},{get:tpl+"s/"+key+"/"+"casSrvMetaDataOptionsSortNumber",id:tpl+"s/"+key+"/"+"casSrvMetaDataOptionsSortNumber",title:"casSrvMetaDataOptionsSortNumber",type:"int"}],id:"casSrvMetaDataOptionsDisplay",title:"casSrvMetaDataOptionsDisplay",type:"simpleInputContainer"}];case"oidcOPMetaDataNode":return[{get:tpl+"s/"+key+"/"+"oidcOPMetaDataJSON",id:tpl+"s/"+key+"/"+"oidcOPMetaDataJSON",title:"oidcOPMetaDataJSON",type:"file"},{get:tpl+"s/"+key+"/"+"oidcOPMetaDataJWKS",id:tpl+"s/"+key+"/"+"oidcOPMetaDataJWKS",title:"oidcOPMetaDataJWKS",type:"file"},{cnodes:tpl+"s/"+key+"/"+"oidcOPMetaDataExportedVars",default:[{data:"name",id:tpl+"s/"+key+"/"+"oidcOPMetaDataExportedVars/cn",title:"cn",type:"keyText"},{data:"email",id:tpl+"s/"+key+"/"+"oidcOPMetaDataExportedVars/mail",title:"mail",type:"keyText"},{data:"family_name",id:tpl+"s/"+key+"/"+"oidcOPMetaDataExportedVars/sn",title:"sn",type:"keyText"},{data:"sub",id:tpl+"s/"+key+"/"+"oidcOPMetaDataExportedVars/uid",title:"uid",type:"keyText"}],id:tpl+"s/"+key+"/"+"oidcOPMetaDataExportedVars",title:"oidcOPMetaDataExportedVars",type:"keyTextContainer"},{_nodes:[{_nodes:[{get:tpl+"s/"+key+"/"+"oidcOPMetaDataOptionsConfigurationURI",id:tpl+"s/"+key+"/"+"oidcOPMetaDataOptionsConfigurationURI",title:"oidcOPMetaDataOptionsConfigurationURI"},{default:0,get:tpl+"s/"+key+"/"+"oidcOPMetaDataOptionsJWKSTimeout",id:tpl+"s/"+key+"/"+"oidcOPMetaDataOptionsJWKSTimeout",title:"oidcOPMetaDataOptionsJWKSTimeout",type:"int"},{get:tpl+"s/"+key+"/"+"oidcOPMetaDataOptionsClientID",id:tpl+"s/"+key+"/"+"oidcOPMetaDataOptionsClientID",title:"oidcOPMetaDataOptionsClientID"},{get:tpl+"s/"+key+"/"+"oidcOPMetaDataOptionsClientSecret",id:tpl+"s/"+key+"/"+"oidcOPMetaDataOptionsClientSecret",title:"oidcOPMetaDataOptionsClientSecret",type:"password"},{default:0,get:tpl+"s/"+key+"/"+"oidcOPMetaDataOptionsStoreIDToken",id:tpl+"s/"+key+"/"+"oidcOPMetaDataOptionsStoreIDToken",title:"oidcOPMetaDataOptionsStoreIDToken",type:"bool"}],id:"oidcOPMetaDataOptionsConfiguration",title:"oidcOPMetaDataOptionsConfiguration",type:"simpleInputContainer"},{_nodes:[{default:"openid profile",get:tpl+"s/"+key+"/"+"oidcOPMetaDataOptionsScope",id:tpl+"s/"+key+"/"+"oidcOPMetaDataOptionsScope",title:"oidcOPMetaDataOptionsScope"},{default:"",get:tpl+"s/"+key+"/"+"oidcOPMetaDataOptionsDisplay",id:tpl+"s/"+key+"/"+"oidcOPMetaDataOptionsDisplay",select:[{k:"",v:""},{k:"page",v:"page"},{k:"popup",v:"popup"},{k:"touch",v:"touch"},{k:"wap",v:"wap"}],title:"oidcOPMetaDataOptionsDisplay",type:"select"},{get:tpl+"s/"+key+"/"+"oidcOPMetaDataOptionsPrompt",id:tpl+"s/"+key+"/"+"oidcOPMetaDataOptionsPrompt",title:"oidcOPMetaDataOptionsPrompt"},{default:0,get:tpl+"s/"+key+"/"+"oidcOPMetaDataOptionsMaxAge",id:tpl+"s/"+key+"/"+"oidcOPMetaDataOptionsMaxAge",title:"oidcOPMetaDataOptionsMaxAge",type:"int"},{get:tpl+"s/"+key+"/"+"oidcOPMetaDataOptionsUiLocales",id:tpl+"s/"+key+"/"+"oidcOPMetaDataOptionsUiLocales",title:"oidcOPMetaDataOptionsUiLocales"},{get:tpl+"s/"+key+"/"+"oidcOPMetaDataOptionsAcrValues",id:tpl+"s/"+key+"/"+"oidcOPMetaDataOptionsAcrValues",title:"oidcOPMetaDataOptionsAcrValues"},{default:"client_secret_post",get:tpl+"s/"+key+"/"+"oidcOPMetaDataOptionsTokenEndpointAuthMethod",id:tpl+"s/"+key+"/"+"oidcOPMetaDataOptionsTokenEndpointAuthMethod",select:[{k:"client_secret_post",v:"client_secret_post"},{k:"client_secret_basic",v:"client_secret_basic"}],title:"oidcOPMetaDataOptionsTokenEndpointAuthMethod",type:"select"},{default:1,get:tpl+"s/"+key+"/"+"oidcOPMetaDataOptionsCheckJWTSignature",id:tpl+"s/"+key+"/"+"oidcOPMetaDataOptionsCheckJWTSignature",title:"oidcOPMetaDataOptionsCheckJWTSignature",type:"bool"},{default:30,get:tpl+"s/"+key+"/"+"oidcOPMetaDataOptionsIDTokenMaxAge",id:tpl+"s/"+key+"/"+"oidcOPMetaDataOptionsIDTokenMaxAge",title:"oidcOPMetaDataOptionsIDTokenMaxAge",type:"int"},{default:1,get:tpl+"s/"+key+"/"+"oidcOPMetaDataOptionsUseNonce",id:tpl+"s/"+key+"/"+"oidcOPMetaDataOptionsUseNonce",title:"oidcOPMetaDataOptionsUseNonce",type:"bool"}],id:"oidcOPMetaDataOptionsProtocol",title:"oidcOPMetaDataOptionsProtocol",type:"simpleInputContainer"}],id:"oidcOPMetaDataOptions",title:"oidcOPMetaDataOptions"},{_nodes:[{get:tpl+"s/"+key+"/"+"oidcOPMetaDataOptionsDisplayName",id:tpl+"s/"+key+"/"+"oidcOPMetaDataOptionsDisplayName",title:"oidcOPMetaDataOptionsDisplayName"},{get:tpl+"s/"+key+"/"+"oidcOPMetaDataOptionsIcon",id:tpl+"s/"+key+"/"+"oidcOPMetaDataOptionsIcon",title:"oidcOPMetaDataOptionsIcon"},{get:tpl+"s/"+key+"/"+"oidcOPMetaDataOptionsSortNumber",id:tpl+"s/"+key+"/"+"oidcOPMetaDataOptionsSortNumber",title:"oidcOPMetaDataOptionsSortNumber",type:"int"}],id:"oidcOPMetaDataOptionsDisplayParams",title:"oidcOPMetaDataOptionsDisplayParams",type:"simpleInputContainer"}];case"oidcRPMetaDataNode":return[{cnodes:tpl+"s/"+key+"/"+"oidcRPMetaDataExportedVars",default:[{data:"mail",id:tpl+"s/"+key+"/"+"oidcRPMetaDataExportedVars/email",title:"email",type:"keyText"},{data:"sn",id:tpl+"s/"+key+"/"+"oidcRPMetaDataExportedVars/family_name",title:"family_name",type:"keyText"},{data:"cn",id:tpl+"s/"+key+"/"+"oidcRPMetaDataExportedVars/name",title:"name",type:"keyText"}],id:tpl+"s/"+key+"/"+"oidcRPMetaDataExportedVars",title:"oidcRPMetaDataExportedVars",type:"keyTextContainer"},{cnodes:tpl+"s/"+key+"/"+"oidcRPMetaDataOptionsExtraClaims",default:[],id:tpl+"s/"+key+"/"+"oidcRPMetaDataOptionsExtraClaims",title:"oidcRPMetaDataOptionsExtraClaims",type:"keyTextContainer"},{_nodes:[{_nodes:[{get:tpl+"s/"+key+"/"+"oidcRPMetaDataOptionsClientID",id:tpl+"s/"+key+"/"+"oidcRPMetaDataOptionsClientID",title:"oidcRPMetaDataOptionsClientID"},{get:tpl+"s/"+key+"/"+"oidcRPMetaDataOptionsClientSecret",id:tpl+"s/"+key+"/"+"oidcRPMetaDataOptionsClientSecret",title:"oidcRPMetaDataOptionsClientSecret",type:"password"},{default:0,get:tpl+"s/"+key+"/"+"oidcRPMetaDataOptionsPublic",id:tpl+"s/"+key+"/"+"oidcRPMetaDataOptionsPublic",title:"oidcRPMetaDataOptionsPublic",type:"bool"},{default:0,get:tpl+"s/"+key+"/"+"oidcRPMetaDataOptionsRequirePKCE",id:tpl+"s/"+key+"/"+"oidcRPMetaDataOptionsRequirePKCE",title:"oidcRPMetaDataOptionsRequirePKCE",type:"bool"}],id:"oidcRPMetaDataOptionsAuthentication",title:"oidcRPMetaDataOptionsAuthentication",type:"simpleInputContainer"},{get:tpl+"s/"+key+"/"+"oidcRPMetaDataOptionsUserIDAttr",id:tpl+"s/"+key+"/"+"oidcRPMetaDataOptionsUserIDAttr",title:"oidcRPMetaDataOptionsUserIDAttr"},{default:"HS512",get:tpl+"s/"+key+"/"+"oidcRPMetaDataOptionsIDTokenSignAlg",id:tpl+"s/"+key+"/"+"oidcRPMetaDataOptionsIDTokenSignAlg",select:[{k:"none",v:"None"},{k:"HS256",v:"HS256"},{k:"HS384",v:"HS384"},{k:"HS512",v:"HS512"},{k:"RS256",v:"RS256"},{k:"RS384",v:"RS384"},{k:"RS512",v:"RS512"}],title:"oidcRPMetaDataOptionsIDTokenSignAlg",type:"select"},{default:3600,get:tpl+"s/"+key+"/"+"oidcRPMetaDataOptionsIDTokenExpiration",id:tpl+"s/"+key+"/"+"oidcRPMetaDataOptionsIDTokenExpiration",title:"oidcRPMetaDataOptionsIDTokenExpiration",type:"int"},{default:3600,get:tpl+"s/"+key+"/"+"oidcRPMetaDataOptionsAccessTokenExpiration",id:tpl+"s/"+key+"/"+"oidcRPMetaDataOptionsAccessTokenExpiration",title:"oidcRPMetaDataOptionsAccessTokenExpiration",type:"int"},{get:tpl+"s/"+key+"/"+"oidcRPMetaDataOptionsRedirectUris",id:tpl+"s/"+key+"/"+"oidcRPMetaDataOptionsRedirectUris",title:"oidcRPMetaDataOptionsRedirectUris"},{default:0,get:tpl+"s/"+key+"/"+"oidcRPMetaDataOptionsBypassConsent",help:"openidconnectclaims.html",id:tpl+"s/"+key+"/"+"oidcRPMetaDataOptionsBypassConsent",title:"oidcRPMetaDataOptionsBypassConsent",type:"bool"},{_nodes:[{get:tpl+"s/"+key+"/"+"oidcRPMetaDataOptionsPostLogoutRedirectUris",id:tpl+"s/"+key+"/"+"oidcRPMetaDataOptionsPostLogoutRedirectUris",title:"oidcRPMetaDataOptionsPostLogoutRedirectUris"},{get:tpl+"s/"+key+"/"+"oidcRPMetaDataOptionsLogoutUrl",id:tpl+"s/"+key+"/"+"oidcRPMetaDataOptionsLogoutUrl",title:"oidcRPMetaDataOptionsLogoutUrl"},{default:"front",get:tpl+"s/"+key+"/"+"oidcRPMetaDataOptionsLogoutType",id:tpl+"s/"+key+"/"+"oidcRPMetaDataOptionsLogoutType",select:[{k:"front",v:"Front Channel"},{k:"back",v:"Back Channel"}],title:"oidcRPMetaDataOptionsLogoutType",type:"select"},{default:0,get:tpl+"s/"+key+"/"+"oidcRPMetaDataOptionsLogoutSessionRequired",id:tpl+"s/"+key+"/"+"oidcRPMetaDataOptionsLogoutSessionRequired",title:"oidcRPMetaDataOptionsLogoutSessionRequired",type:"bool"}],id:"logout",title:"logout",type:"simpleInputContainer"},{get:tpl+"s/"+key+"/"+"oidcRPMetaDataOptionsRule",id:tpl+"s/"+key+"/"+"oidcRPMetaDataOptionsRule",title:"oidcRPMetaDataOptionsRule"}],id:"oidcRPMetaDataOptions",title:"oidcRPMetaDataOptions"},{_nodes:[{get:tpl+"s/"+key+"/"+"oidcRPMetaDataOptionsDisplayName",id:tpl+"s/"+key+"/"+"oidcRPMetaDataOptionsDisplayName",title:"oidcRPMetaDataOptionsDisplayName"},{get:tpl+"s/"+key+"/"+"oidcRPMetaDataOptionsIcon",id:tpl+"s/"+key+"/"+"oidcRPMetaDataOptionsIcon",title:"oidcRPMetaDataOptionsIcon"}],id:"oidcRPMetaDataOptionsDisplay",title:"oidcRPMetaDataOptionsDisplay",type:"simpleInputContainer"}];case"samlIDPMetaDataNode":return[{get:tpl+"s/"+key+"/"+"samlIDPMetaDataXML",id:tpl+"s/"+key+"/"+"samlIDPMetaDataXML",title:"samlIDPMetaDataXML",type:"file"},{cnodes:tpl+"s/"+key+"/"+"samlIDPMetaDataExportedAttributes",default:[],help:"authsaml.html#exported_attributes",id:tpl+"s/"+key+"/"+"samlIDPMetaDataExportedAttributes",title:"samlIDPMetaDataExportedAttributes",type:"samlAttributeContainer"},{_nodes:[{default:0,get:tpl+"s/"+key+"/"+"samlIDPMetaDataOptionsAdaptSessionUtime",id:tpl+"s/"+key+"/"+"samlIDPMetaDataOptionsAdaptSessionUtime",title:"samlIDPMetaDataOptionsAdaptSessionUtime",type:"bool"},{default:0,get:tpl+"s/"+key+"/"+"samlIDPMetaDataOptionsForceUTF8",id:tpl+"s/"+key+"/"+"samlIDPMetaDataOptionsForceUTF8",title:"samlIDPMetaDataOptionsForceUTF8",type:"bool"},{default:0,get:tpl+"s/"+key+"/"+"samlIDPMetaDataOptionsStoreSAMLToken",id:tpl+"s/"+key+"/"+"samlIDPMetaDataOptionsStoreSAMLToken",title:"samlIDPMetaDataOptionsStoreSAMLToken",type:"bool"},{get:tpl+"s/"+key+"/"+"samlIDPMetaDataOptionsUserAttribute",id:tpl+"s/"+key+"/"+"samlIDPMetaDataOptionsUserAttribute",title:"samlIDPMetaDataOptionsUserAttribute"}],id:"samlIDPMetaDataOptionsSession",title:"samlIDPMetaDataOptionsSession",type:"simpleInputContainer"},{_nodes:[{default:-1,get:tpl+"s/"+key+"/"+"samlIDPMetaDataOptionsSignSSOMessage",id:tpl+"s/"+key+"/"+"samlIDPMetaDataOptionsSignSSOMessage",title:"samlIDPMetaDataOptionsSignSSOMessage",type:"trool"},{default:1,get:tpl+"s/"+key+"/"+"samlIDPMetaDataOptionsCheckSSOMessageSignature",id:tpl+"s/"+key+"/"+"samlIDPMetaDataOptionsCheckSSOMessageSignature",title:"samlIDPMetaDataOptionsCheckSSOMessageSignature",type:"bool"},{default:-1,get:tpl+"s/"+key+"/"+"samlIDPMetaDataOptionsSignSLOMessage",id:tpl+"s/"+key+"/"+"samlIDPMetaDataOptionsSignSLOMessage",title:"samlIDPMetaDataOptionsSignSLOMessage",type:"trool"},{default:1,get:tpl+"s/"+key+"/"+"samlIDPMetaDataOptionsCheckSLOMessageSignature",id:tpl+"s/"+key+"/"+"samlIDPMetaDataOptionsCheckSLOMessageSignature",title:"samlIDPMetaDataOptionsCheckSLOMessageSignature",type:"bool"}],id:"samlIDPMetaDataOptionsSignature",title:"samlIDPMetaDataOptionsSignature",type:"simpleInputContainer"},{_nodes:[{default:"",get:tpl+"s/"+key+"/"+"samlIDPMetaDataOptionsSSOBinding",id:tpl+"s/"+key+"/"+"samlIDPMetaDataOptionsSSOBinding",select:[{k:"",v:""},{k:"http-post",v:"POST"},{k:"http-redirect",v:"Redirect"},{k:"artifact-get",v:"Artifact GET"}],title:"samlIDPMetaDataOptionsSSOBinding",type:"select"},{default:"",get:tpl+"s/"+key+"/"+"samlIDPMetaDataOptionsSLOBinding",id:tpl+"s/"+key+"/"+"samlIDPMetaDataOptionsSLOBinding",select:[{k:"",v:""},{k:"http-post",v:"POST"},{k:"http-redirect",v:"Redirect"},{k:"http-soap",v:"SOAP"}],title:"samlIDPMetaDataOptionsSLOBinding",type:"select"}],id:"samlIDPMetaDataOptionsBinding",title:"samlIDPMetaDataOptionsBinding",type:"simpleInputContainer"},{_nodes:[{default:"none",get:tpl+"s/"+key+"/"+"samlIDPMetaDataOptionsEncryptionMode",id:tpl+"s/"+key+"/"+"samlIDPMetaDataOptionsEncryptionMode",select:[{k:"none",v:"None"},{k:"nameid",v:"Name ID"},{k:"assertion",v:"Assertion"}],title:"samlIDPMetaDataOptionsEncryptionMode",type:"select"},{default:1,get:tpl+"s/"+key+"/"+"samlIDPMetaDataOptionsCheckTime",id:tpl+"s/"+key+"/"+"samlIDPMetaDataOptionsCheckTime",title:"samlIDPMetaDataOptionsCheckTime",type:"bool"},{default:1,get:tpl+"s/"+key+"/"+"samlIDPMetaDataOptionsCheckAudience",id:tpl+"s/"+key+"/"+"samlIDPMetaDataOptionsCheckAudience",title:"samlIDPMetaDataOptionsCheckAudience",type:"bool"}],id:"samlIDPMetaDataOptionsSecurity",title:"samlIDPMetaDataOptionsSecurity",type:"simpleInputContainer"},{_nodes:[{default:"",get:tpl+"s/"+key+"/"+"samlIDPMetaDataOptionsResolutionRule",id:tpl+"s/"+key+"/"+"samlIDPMetaDataOptionsResolutionRule",title:"samlIDPMetaDataOptionsResolutionRule",type:"longtext"},{default:"",get:tpl+"s/"+key+"/"+"samlIDPMetaDataOptionsNameIDFormat",id:tpl+"s/"+key+"/"+"samlIDPMetaDataOptionsNameIDFormat",select:[{k:"",v:""},{k:"unspecified",v:"Unspecified"},{k:"email",v:"Email"},{k:"x509",v:"X509 certificate"},{k:"windows",v:"Windows"},{k:"kerberos",v:"Kerberos"},{k:"entity",v:"Entity"},{k:"persistent",v:"Persistent"},{k:"transient",v:"Transient"},{k:"encrypted",v:"Encrypted"}],title:"samlIDPMetaDataOptionsNameIDFormat",type:"select"},{default:0,get:tpl+"s/"+key+"/"+"samlIDPMetaDataOptionsForceAuthn",id:tpl+"s/"+key+"/"+"samlIDPMetaDataOptionsForceAuthn",title:"samlIDPMetaDataOptionsForceAuthn",type:"bool"},{default:0,get:tpl+"s/"+key+"/"+"samlIDPMetaDataOptionsIsPassive",id:tpl+"s/"+key+"/"+"samlIDPMetaDataOptionsIsPassive",title:"samlIDPMetaDataOptionsIsPassive",type:"bool"},{default:0,get:tpl+"s/"+key+"/"+"samlIDPMetaDataOptionsAllowProxiedAuthn",id:tpl+"s/"+key+"/"+"samlIDPMetaDataOptionsAllowProxiedAuthn",title:"samlIDPMetaDataOptionsAllowProxiedAuthn",type:"bool"},{default:0,get:tpl+"s/"+key+"/"+"samlIDPMetaDataOptionsAllowLoginFromIDP",id:tpl+"s/"+key+"/"+"samlIDPMetaDataOptionsAllowLoginFromIDP",title:"samlIDPMetaDataOptionsAllowLoginFromIDP",type:"bool"},{default:"",get:tpl+"s/"+key+"/"+"samlIDPMetaDataOptionsRequestedAuthnContext",id:tpl+"s/"+key+"/"+"samlIDPMetaDataOptionsRequestedAuthnContext",select:[{k:"",v:""},{k:"kerberos",v:"Kerberos"},{k:"password-protected-transport",v:"Password protected transport"},{k:"password",v:"Password"},{k:"tls-client",v:"TLS client certificate"}],title:"samlIDPMetaDataOptionsRequestedAuthnContext",type:"select"},{default:0,get:tpl+"s/"+key+"/"+"samlIDPMetaDataOptionsRelayStateURL",id:tpl+"s/"+key+"/"+"samlIDPMetaDataOptionsRelayStateURL",title:"samlIDPMetaDataOptionsRelayStateURL",type:"bool"}],help:"authsaml.html#options",id:"samlIDPMetaDataOptions",title:"samlIDPMetaDataOptions",type:"simpleInputContainer"},{_nodes:[{get:tpl+"s/"+key+"/"+"samlIDPMetaDataOptionsDisplayName",id:tpl+"s/"+key+"/"+"samlIDPMetaDataOptionsDisplayName",title:"samlIDPMetaDataOptionsDisplayName"},{get:tpl+"s/"+key+"/"+"samlIDPMetaDataOptionsIcon",id:tpl+"s/"+key+"/"+"samlIDPMetaDataOptionsIcon",title:"samlIDPMetaDataOptionsIcon"},{get:tpl+"s/"+key+"/"+"samlIDPMetaDataOptionsSortNumber",id:tpl+"s/"+key+"/"+"samlIDPMetaDataOptionsSortNumber",title:"samlIDPMetaDataOptionsSortNumber",type:"int"}],id:"samlIDPMetaDataOptionsDisplay",title:"samlIDPMetaDataOptionsDisplay",type:"simpleInputContainer"}];case"samlSPMetaDataNode":return[{get:tpl+"s/"+key+"/"+"samlSPMetaDataXML",id:tpl+"s/"+key+"/"+"samlSPMetaDataXML",title:"samlSPMetaDataXML",type:"file"},{cnodes:tpl+"s/"+key+"/"+"samlSPMetaDataExportedAttributes",default:[],help:"idpsaml.html#exported_attributes",id:tpl+"s/"+key+"/"+"samlSPMetaDataExportedAttributes",title:"samlSPMetaDataExportedAttributes",type:"samlAttributeContainer"},{_nodes:[{_nodes:[{default:"",get:tpl+"s/"+key+"/"+"samlSPMetaDataOptionsNameIDFormat",id:tpl+"s/"+key+"/"+"samlSPMetaDataOptionsNameIDFormat",select:[{k:"",v:""},{k:"unspecified",v:"Unspecified"},{k:"email",v:"Email"},{k:"x509",v:"X509 certificate"},{k:"windows",v:"Windows"},{k:"kerberos",v:"Kerberos"},{k:"entity",v:"Entity"},{k:"persistent",v:"Persistent"},{k:"transient",v:"Transient"},{k:"encrypted",v:"Encrypted"}],title:"samlSPMetaDataOptionsNameIDFormat",type:"select"},{get:tpl+"s/"+key+"/"+"samlSPMetaDataOptionsNameIDSessionKey",id:tpl+"s/"+key+"/"+"samlSPMetaDataOptionsNameIDSessionKey",title:"samlSPMetaDataOptionsNameIDSessionKey"},{default:0,get:tpl+"s/"+key+"/"+"samlSPMetaDataOptionsOneTimeUse",id:tpl+"s/"+key+"/"+"samlSPMetaDataOptionsOneTimeUse",title:"samlSPMetaDataOptionsOneTimeUse",type:"bool"},{default:72e3,get:tpl+"s/"+key+"/"+"samlSPMetaDataOptionsSessionNotOnOrAfterTimeout",id:tpl+"s/"+key+"/"+"samlSPMetaDataOptionsSessionNotOnOrAfterTimeout",title:"samlSPMetaDataOptionsSessionNotOnOrAfterTimeout",type:"int"},{default:72e3,get:tpl+"s/"+key+"/"+"samlSPMetaDataOptionsNotOnOrAfterTimeout",id:tpl+"s/"+key+"/"+"samlSPMetaDataOptionsNotOnOrAfterTimeout",title:"samlSPMetaDataOptionsNotOnOrAfterTimeout",type:"int"},{default:1,get:tpl+"s/"+key+"/"+"samlSPMetaDataOptionsForceUTF8",id:tpl+"s/"+key+"/"+"samlSPMetaDataOptionsForceUTF8",title:"samlSPMetaDataOptionsForceUTF8",type:"bool"}],id:"samlSPMetaDataOptionsAuthnResponse",title:"samlSPMetaDataOptionsAuthnResponse",type:"simpleInputContainer"},{_nodes:[{default:-1,get:tpl+"s/"+key+"/"+"samlSPMetaDataOptionsSignSSOMessage",id:tpl+"s/"+key+"/"+"samlSPMetaDataOptionsSignSSOMessage",title:"samlSPMetaDataOptionsSignSSOMessage",type:"trool"},{default:1,get:tpl+"s/"+key+"/"+"samlSPMetaDataOptionsCheckSSOMessageSignature",id:tpl+"s/"+key+"/"+"samlSPMetaDataOptionsCheckSSOMessageSignature",title:"samlSPMetaDataOptionsCheckSSOMessageSignature",type:"bool"},{default:-1,get:tpl+"s/"+key+"/"+"samlSPMetaDataOptionsSignSLOMessage",id:tpl+"s/"+key+"/"+"samlSPMetaDataOptionsSignSLOMessage",title:"samlSPMetaDataOptionsSignSLOMessage",type:"trool"},{default:1,get:tpl+"s/"+key+"/"+"samlSPMetaDataOptionsCheckSLOMessageSignature",id:tpl+"s/"+key+"/"+"samlSPMetaDataOptionsCheckSLOMessageSignature",title:"samlSPMetaDataOptionsCheckSLOMessageSignature",type:"bool"}],id:"samlSPMetaDataOptionsSignature",title:"samlSPMetaDataOptionsSignature",type:"simpleInputContainer"},{_nodes:[{default:"none",get:tpl+"s/"+key+"/"+"samlSPMetaDataOptionsEncryptionMode",id:tpl+"s/"+key+"/"+"samlSPMetaDataOptionsEncryptionMode",select:[{k:"none",v:"None"},{k:"nameid",v:"Name ID"},{k:"assertion",v:"Assertion"}],title:"samlSPMetaDataOptionsEncryptionMode",type:"select"},{default:0,get:tpl+"s/"+key+"/"+"samlSPMetaDataOptionsEnableIDPInitiatedURL",id:tpl+"s/"+key+"/"+"samlSPMetaDataOptionsEnableIDPInitiatedURL",title:"samlSPMetaDataOptionsEnableIDPInitiatedURL",type:"bool"},{get:tpl+"s/"+key+"/"+"samlSPMetaDataOptionsRule",id:tpl+"s/"+key+"/"+"samlSPMetaDataOptionsRule",title:"samlSPMetaDataOptionsRule"}],id:"samlSPMetaDataOptionsSecurity",title:"samlSPMetaDataOptionsSecurity",type:"simpleInputContainer"}],help:"idpsaml.html#options",id:"samlSPMetaDataOptions",title:"samlSPMetaDataOptions"}];case"virtualHost":return[{cnodes:tpl+"s/"+key+"/"+"locationRules",default:[{data:"deny",id:tpl+"s/"+key+"/"+"locationRules/default",re:"default",title:"default",type:"rule"}],help:"writingrulesand_headers.html#rules",id:tpl+"s/"+key+"/"+"locationRules",title:"locationRules",type:"ruleContainer"},{cnodes:tpl+"s/"+key+"/"+"exportedHeaders",help:"writingrulesand_headers.html#headers",id:tpl+"s/"+key+"/"+"exportedHeaders",title:"exportedHeaders",type:"keyTextContainer"},{cnodes:tpl+"s/"+key+"/"+"post",help:"formreplay.html",id:tpl+"s/"+key+"/"+"post",title:"post",type:"postContainer"},{_nodes:[{default:-1,get:tpl+"s/"+key+"/"+"vhostPort",id:tpl+"s/"+key+"/"+"vhostPort",title:"vhostPort",type:"int"},{default:-1,get:tpl+"s/"+key+"/"+"vhostHttps",id:tpl+"s/"+key+"/"+"vhostHttps",title:"vhostHttps",type:"trool"},{default:0,get:tpl+"s/"+key+"/"+"vhostMaintenance",id:tpl+"s/"+key+"/"+"vhostMaintenance",title:"vhostMaintenance",type:"bool"},{get:tpl+"s/"+key+"/"+"vhostAliases",id:tpl+"s/"+key+"/"+"vhostAliases",title:"vhostAliases"},{default:"Main",get:tpl+"s/"+key+"/"+"vhostType",id:tpl+"s/"+key+"/"+"vhostType",select:[{k:"AuthBasic",v:"AuthBasic"},{k:"CDA",v:"CDA"},{k:"DevOps",v:"DevOps"},{k:"DevOpsST",v:"DevOpsST"},{k:"Main",v:"Main"},{k:"OAuth2",v:"OAuth2"},{k:"SecureToken",v:"SecureToken"},{k:"ServiceToken",v:"ServiceToken"},{k:"Zimbra",v:"ZimbraPreAuth"}],title:"vhostType",type:"select"},{get:tpl+"s/"+key+"/"+"vhostAuthnLevel",id:tpl+"s/"+key+"/"+"vhostAuthnLevel",title:"vhostAuthnLevel",type:"int"},{default:30,get:tpl+"s/"+key+"/"+"vhostServiceTokenTTL",id:tpl+"s/"+key+"/"+"vhostServiceTokenTTL",title:"vhostServiceTokenTTL",type:"int"}],help:"configvhost.html#options",id:"vhostOptions",title:"vhostOptions",type:"simpleInputContainer"}];default:return[]}}function setScopeVars(scope){scope.portal=scope.data[0]._nodes[0]._nodes[0];scope.getKey(scope.portal);scope.domain=scope.data[0]._nodes[4]._nodes[1];scope.getKey(scope.domain)} +function templates(tpl,key){var ind;var scalarTemplate=function(r){return{id:tpl+"s/"+ind++,title:r,get:tpl+"s/"+key+"/"+r}};switch(tpl){case"casAppMetaDataNode":return[{_nodes:[{get:tpl+"s/"+key+"/"+"casAppMetaDataOptionsService",id:tpl+"s/"+key+"/"+"casAppMetaDataOptionsService",title:"casAppMetaDataOptionsService"},{get:tpl+"s/"+key+"/"+"casAppMetaDataOptionsUserAttribute",id:tpl+"s/"+key+"/"+"casAppMetaDataOptionsUserAttribute",title:"casAppMetaDataOptionsUserAttribute"},{get:tpl+"s/"+key+"/"+"casAppMetaDataOptionsRule",id:tpl+"s/"+key+"/"+"casAppMetaDataOptionsRule",title:"casAppMetaDataOptionsRule"}],id:"casAppMetaDataOptions",title:"casAppMetaDataOptions",type:"simpleInputContainer"},{cnodes:tpl+"s/"+key+"/"+"casAppMetaDataExportedVars",default:[{data:"cn",id:tpl+"s/"+key+"/"+"casAppMetaDataExportedVars/cn",title:"cn",type:"keyText"},{data:"mail",id:tpl+"s/"+key+"/"+"casAppMetaDataExportedVars/mail",title:"mail",type:"keyText"},{data:"uid",id:tpl+"s/"+key+"/"+"casAppMetaDataExportedVars/uid",title:"uid",type:"keyText"}],id:tpl+"s/"+key+"/"+"casAppMetaDataExportedVars",title:"casAppMetaDataExportedVars",type:"keyTextContainer"}];case"casSrvMetaDataNode":return[{cnodes:tpl+"s/"+key+"/"+"casSrvMetaDataExportedVars",default:[{data:"cn",id:tpl+"s/"+key+"/"+"casSrvMetaDataExportedVars/cn",title:"cn",type:"keyText"},{data:"mail",id:tpl+"s/"+key+"/"+"casSrvMetaDataExportedVars/mail",title:"mail",type:"keyText"},{data:"uid",id:tpl+"s/"+key+"/"+"casSrvMetaDataExportedVars/uid",title:"uid",type:"keyText"}],id:tpl+"s/"+key+"/"+"casSrvMetaDataExportedVars",title:"casSrvMetaDataExportedVars",type:"keyTextContainer"},{cnodes:tpl+"s/"+key+"/"+"casSrvMetaDataOptionsProxiedServices",id:tpl+"s/"+key+"/"+"casSrvMetaDataOptionsProxiedServices",title:"casSrvMetaDataOptionsProxiedServices",type:"keyTextContainer"},{_nodes:[{get:tpl+"s/"+key+"/"+"casSrvMetaDataOptionsUrl",id:tpl+"s/"+key+"/"+"casSrvMetaDataOptionsUrl",title:"casSrvMetaDataOptionsUrl"},{default:0,get:tpl+"s/"+key+"/"+"casSrvMetaDataOptionsRenew",id:tpl+"s/"+key+"/"+"casSrvMetaDataOptionsRenew",title:"casSrvMetaDataOptionsRenew",type:"bool"},{default:0,get:tpl+"s/"+key+"/"+"casSrvMetaDataOptionsGateway",id:tpl+"s/"+key+"/"+"casSrvMetaDataOptionsGateway",title:"casSrvMetaDataOptionsGateway",type:"bool"}],id:"casSrvMetaDataOptions",title:"casSrvMetaDataOptions",type:"simpleInputContainer"},{_nodes:[{get:tpl+"s/"+key+"/"+"casSrvMetaDataOptionsDisplayName",id:tpl+"s/"+key+"/"+"casSrvMetaDataOptionsDisplayName",title:"casSrvMetaDataOptionsDisplayName"},{get:tpl+"s/"+key+"/"+"casSrvMetaDataOptionsIcon",id:tpl+"s/"+key+"/"+"casSrvMetaDataOptionsIcon",title:"casSrvMetaDataOptionsIcon"},{get:tpl+"s/"+key+"/"+"casSrvMetaDataOptionsSortNumber",id:tpl+"s/"+key+"/"+"casSrvMetaDataOptionsSortNumber",title:"casSrvMetaDataOptionsSortNumber",type:"int"}],id:"casSrvMetaDataOptionsDisplay",title:"casSrvMetaDataOptionsDisplay",type:"simpleInputContainer"}];case"oidcOPMetaDataNode":return[{get:tpl+"s/"+key+"/"+"oidcOPMetaDataJSON",id:tpl+"s/"+key+"/"+"oidcOPMetaDataJSON",title:"oidcOPMetaDataJSON",type:"file"},{get:tpl+"s/"+key+"/"+"oidcOPMetaDataJWKS",id:tpl+"s/"+key+"/"+"oidcOPMetaDataJWKS",title:"oidcOPMetaDataJWKS",type:"file"},{cnodes:tpl+"s/"+key+"/"+"oidcOPMetaDataExportedVars",default:[{data:"name",id:tpl+"s/"+key+"/"+"oidcOPMetaDataExportedVars/cn",title:"cn",type:"keyText"},{data:"email",id:tpl+"s/"+key+"/"+"oidcOPMetaDataExportedVars/mail",title:"mail",type:"keyText"},{data:"family_name",id:tpl+"s/"+key+"/"+"oidcOPMetaDataExportedVars/sn",title:"sn",type:"keyText"},{data:"sub",id:tpl+"s/"+key+"/"+"oidcOPMetaDataExportedVars/uid",title:"uid",type:"keyText"}],id:tpl+"s/"+key+"/"+"oidcOPMetaDataExportedVars",title:"oidcOPMetaDataExportedVars",type:"keyTextContainer"},{_nodes:[{_nodes:[{get:tpl+"s/"+key+"/"+"oidcOPMetaDataOptionsConfigurationURI",id:tpl+"s/"+key+"/"+"oidcOPMetaDataOptionsConfigurationURI",title:"oidcOPMetaDataOptionsConfigurationURI"},{default:0,get:tpl+"s/"+key+"/"+"oidcOPMetaDataOptionsJWKSTimeout",id:tpl+"s/"+key+"/"+"oidcOPMetaDataOptionsJWKSTimeout",title:"oidcOPMetaDataOptionsJWKSTimeout",type:"int"},{get:tpl+"s/"+key+"/"+"oidcOPMetaDataOptionsClientID",id:tpl+"s/"+key+"/"+"oidcOPMetaDataOptionsClientID",title:"oidcOPMetaDataOptionsClientID"},{get:tpl+"s/"+key+"/"+"oidcOPMetaDataOptionsClientSecret",id:tpl+"s/"+key+"/"+"oidcOPMetaDataOptionsClientSecret",title:"oidcOPMetaDataOptionsClientSecret",type:"password"},{default:0,get:tpl+"s/"+key+"/"+"oidcOPMetaDataOptionsStoreIDToken",id:tpl+"s/"+key+"/"+"oidcOPMetaDataOptionsStoreIDToken",title:"oidcOPMetaDataOptionsStoreIDToken",type:"bool"}],id:"oidcOPMetaDataOptionsConfiguration",title:"oidcOPMetaDataOptionsConfiguration",type:"simpleInputContainer"},{_nodes:[{default:"openid profile",get:tpl+"s/"+key+"/"+"oidcOPMetaDataOptionsScope",id:tpl+"s/"+key+"/"+"oidcOPMetaDataOptionsScope",title:"oidcOPMetaDataOptionsScope"},{default:"",get:tpl+"s/"+key+"/"+"oidcOPMetaDataOptionsDisplay",id:tpl+"s/"+key+"/"+"oidcOPMetaDataOptionsDisplay",select:[{k:"",v:""},{k:"page",v:"page"},{k:"popup",v:"popup"},{k:"touch",v:"touch"},{k:"wap",v:"wap"}],title:"oidcOPMetaDataOptionsDisplay",type:"select"},{get:tpl+"s/"+key+"/"+"oidcOPMetaDataOptionsPrompt",id:tpl+"s/"+key+"/"+"oidcOPMetaDataOptionsPrompt",title:"oidcOPMetaDataOptionsPrompt"},{default:0,get:tpl+"s/"+key+"/"+"oidcOPMetaDataOptionsMaxAge",id:tpl+"s/"+key+"/"+"oidcOPMetaDataOptionsMaxAge",title:"oidcOPMetaDataOptionsMaxAge",type:"int"},{get:tpl+"s/"+key+"/"+"oidcOPMetaDataOptionsUiLocales",id:tpl+"s/"+key+"/"+"oidcOPMetaDataOptionsUiLocales",title:"oidcOPMetaDataOptionsUiLocales"},{get:tpl+"s/"+key+"/"+"oidcOPMetaDataOptionsAcrValues",id:tpl+"s/"+key+"/"+"oidcOPMetaDataOptionsAcrValues",title:"oidcOPMetaDataOptionsAcrValues"},{default:"client_secret_post",get:tpl+"s/"+key+"/"+"oidcOPMetaDataOptionsTokenEndpointAuthMethod",id:tpl+"s/"+key+"/"+"oidcOPMetaDataOptionsTokenEndpointAuthMethod",select:[{k:"client_secret_post",v:"client_secret_post"},{k:"client_secret_basic",v:"client_secret_basic"}],title:"oidcOPMetaDataOptionsTokenEndpointAuthMethod",type:"select"},{default:1,get:tpl+"s/"+key+"/"+"oidcOPMetaDataOptionsCheckJWTSignature",id:tpl+"s/"+key+"/"+"oidcOPMetaDataOptionsCheckJWTSignature",title:"oidcOPMetaDataOptionsCheckJWTSignature",type:"bool"},{default:30,get:tpl+"s/"+key+"/"+"oidcOPMetaDataOptionsIDTokenMaxAge",id:tpl+"s/"+key+"/"+"oidcOPMetaDataOptionsIDTokenMaxAge",title:"oidcOPMetaDataOptionsIDTokenMaxAge",type:"int"},{default:1,get:tpl+"s/"+key+"/"+"oidcOPMetaDataOptionsUseNonce",id:tpl+"s/"+key+"/"+"oidcOPMetaDataOptionsUseNonce",title:"oidcOPMetaDataOptionsUseNonce",type:"bool"}],id:"oidcOPMetaDataOptionsProtocol",title:"oidcOPMetaDataOptionsProtocol",type:"simpleInputContainer"}],id:"oidcOPMetaDataOptions",title:"oidcOPMetaDataOptions"},{_nodes:[{get:tpl+"s/"+key+"/"+"oidcOPMetaDataOptionsDisplayName",id:tpl+"s/"+key+"/"+"oidcOPMetaDataOptionsDisplayName",title:"oidcOPMetaDataOptionsDisplayName"},{get:tpl+"s/"+key+"/"+"oidcOPMetaDataOptionsIcon",id:tpl+"s/"+key+"/"+"oidcOPMetaDataOptionsIcon",title:"oidcOPMetaDataOptionsIcon"},{get:tpl+"s/"+key+"/"+"oidcOPMetaDataOptionsSortNumber",id:tpl+"s/"+key+"/"+"oidcOPMetaDataOptionsSortNumber",title:"oidcOPMetaDataOptionsSortNumber",type:"int"}],id:"oidcOPMetaDataOptionsDisplayParams",title:"oidcOPMetaDataOptionsDisplayParams",type:"simpleInputContainer"}];case"oidcRPMetaDataNode":return[{cnodes:tpl+"s/"+key+"/"+"oidcRPMetaDataExportedVars",default:[{data:"mail",id:tpl+"s/"+key+"/"+"oidcRPMetaDataExportedVars/email",title:"email",type:"keyText"},{data:"sn",id:tpl+"s/"+key+"/"+"oidcRPMetaDataExportedVars/family_name",title:"family_name",type:"keyText"},{data:"cn",id:tpl+"s/"+key+"/"+"oidcRPMetaDataExportedVars/name",title:"name",type:"keyText"}],id:tpl+"s/"+key+"/"+"oidcRPMetaDataExportedVars",title:"oidcRPMetaDataExportedVars",type:"keyTextContainer"},{cnodes:tpl+"s/"+key+"/"+"oidcRPMetaDataOptionsExtraClaims",default:[],id:tpl+"s/"+key+"/"+"oidcRPMetaDataOptionsExtraClaims",title:"oidcRPMetaDataOptionsExtraClaims",type:"keyTextContainer"},{_nodes:[{_nodes:[{get:tpl+"s/"+key+"/"+"oidcRPMetaDataOptionsClientID",id:tpl+"s/"+key+"/"+"oidcRPMetaDataOptionsClientID",title:"oidcRPMetaDataOptionsClientID"},{get:tpl+"s/"+key+"/"+"oidcRPMetaDataOptionsClientSecret",id:tpl+"s/"+key+"/"+"oidcRPMetaDataOptionsClientSecret",title:"oidcRPMetaDataOptionsClientSecret",type:"password"},{default:0,get:tpl+"s/"+key+"/"+"oidcRPMetaDataOptionsPublic",id:tpl+"s/"+key+"/"+"oidcRPMetaDataOptionsPublic",title:"oidcRPMetaDataOptionsPublic",type:"bool"},{default:0,get:tpl+"s/"+key+"/"+"oidcRPMetaDataOptionsRequirePKCE",id:tpl+"s/"+key+"/"+"oidcRPMetaDataOptionsRequirePKCE",title:"oidcRPMetaDataOptionsRequirePKCE",type:"bool"}],id:"oidcRPMetaDataOptionsAuthentication",title:"oidcRPMetaDataOptionsAuthentication",type:"simpleInputContainer"},{get:tpl+"s/"+key+"/"+"oidcRPMetaDataOptionsUserIDAttr",id:tpl+"s/"+key+"/"+"oidcRPMetaDataOptionsUserIDAttr",title:"oidcRPMetaDataOptionsUserIDAttr"},{default:"HS512",get:tpl+"s/"+key+"/"+"oidcRPMetaDataOptionsIDTokenSignAlg",id:tpl+"s/"+key+"/"+"oidcRPMetaDataOptionsIDTokenSignAlg",select:[{k:"none",v:"None"},{k:"HS256",v:"HS256"},{k:"HS384",v:"HS384"},{k:"HS512",v:"HS512"},{k:"RS256",v:"RS256"},{k:"RS384",v:"RS384"},{k:"RS512",v:"RS512"}],title:"oidcRPMetaDataOptionsIDTokenSignAlg",type:"select"},{default:3600,get:tpl+"s/"+key+"/"+"oidcRPMetaDataOptionsIDTokenExpiration",id:tpl+"s/"+key+"/"+"oidcRPMetaDataOptionsIDTokenExpiration",title:"oidcRPMetaDataOptionsIDTokenExpiration",type:"int"},{default:3600,get:tpl+"s/"+key+"/"+"oidcRPMetaDataOptionsAccessTokenExpiration",id:tpl+"s/"+key+"/"+"oidcRPMetaDataOptionsAccessTokenExpiration",title:"oidcRPMetaDataOptionsAccessTokenExpiration",type:"int"},{get:tpl+"s/"+key+"/"+"oidcRPMetaDataOptionsRedirectUris",id:tpl+"s/"+key+"/"+"oidcRPMetaDataOptionsRedirectUris",title:"oidcRPMetaDataOptionsRedirectUris"},{default:0,get:tpl+"s/"+key+"/"+"oidcRPMetaDataOptionsBypassConsent",help:"openidconnectclaims.html",id:tpl+"s/"+key+"/"+"oidcRPMetaDataOptionsBypassConsent",title:"oidcRPMetaDataOptionsBypassConsent",type:"bool"},{_nodes:[{get:tpl+"s/"+key+"/"+"oidcRPMetaDataOptionsPostLogoutRedirectUris",id:tpl+"s/"+key+"/"+"oidcRPMetaDataOptionsPostLogoutRedirectUris",title:"oidcRPMetaDataOptionsPostLogoutRedirectUris"},{get:tpl+"s/"+key+"/"+"oidcRPMetaDataOptionsLogoutUrl",id:tpl+"s/"+key+"/"+"oidcRPMetaDataOptionsLogoutUrl",title:"oidcRPMetaDataOptionsLogoutUrl"},{default:"front",get:tpl+"s/"+key+"/"+"oidcRPMetaDataOptionsLogoutType",id:tpl+"s/"+key+"/"+"oidcRPMetaDataOptionsLogoutType",select:[{k:"front",v:"Front Channel"},{k:"back",v:"Back Channel"}],title:"oidcRPMetaDataOptionsLogoutType",type:"select"},{default:0,get:tpl+"s/"+key+"/"+"oidcRPMetaDataOptionsLogoutSessionRequired",id:tpl+"s/"+key+"/"+"oidcRPMetaDataOptionsLogoutSessionRequired",title:"oidcRPMetaDataOptionsLogoutSessionRequired",type:"bool"}],id:"logout",title:"logout",type:"simpleInputContainer"},{get:tpl+"s/"+key+"/"+"oidcRPMetaDataOptionsRule",id:tpl+"s/"+key+"/"+"oidcRPMetaDataOptionsRule",title:"oidcRPMetaDataOptionsRule"}],id:"oidcRPMetaDataOptions",title:"oidcRPMetaDataOptions"},{_nodes:[{get:tpl+"s/"+key+"/"+"oidcRPMetaDataOptionsDisplayName",id:tpl+"s/"+key+"/"+"oidcRPMetaDataOptionsDisplayName",title:"oidcRPMetaDataOptionsDisplayName"},{get:tpl+"s/"+key+"/"+"oidcRPMetaDataOptionsIcon",id:tpl+"s/"+key+"/"+"oidcRPMetaDataOptionsIcon",title:"oidcRPMetaDataOptionsIcon"}],id:"oidcRPMetaDataOptionsDisplay",title:"oidcRPMetaDataOptionsDisplay",type:"simpleInputContainer"}];case"samlIDPMetaDataNode":return[{get:tpl+"s/"+key+"/"+"samlIDPMetaDataXML",id:tpl+"s/"+key+"/"+"samlIDPMetaDataXML",title:"samlIDPMetaDataXML",type:"file"},{cnodes:tpl+"s/"+key+"/"+"samlIDPMetaDataExportedAttributes",default:[],help:"authsaml.html#exported_attributes",id:tpl+"s/"+key+"/"+"samlIDPMetaDataExportedAttributes",title:"samlIDPMetaDataExportedAttributes",type:"samlAttributeContainer"},{_nodes:[{default:0,get:tpl+"s/"+key+"/"+"samlIDPMetaDataOptionsAdaptSessionUtime",id:tpl+"s/"+key+"/"+"samlIDPMetaDataOptionsAdaptSessionUtime",title:"samlIDPMetaDataOptionsAdaptSessionUtime",type:"bool"},{default:0,get:tpl+"s/"+key+"/"+"samlIDPMetaDataOptionsForceUTF8",id:tpl+"s/"+key+"/"+"samlIDPMetaDataOptionsForceUTF8",title:"samlIDPMetaDataOptionsForceUTF8",type:"bool"},{default:0,get:tpl+"s/"+key+"/"+"samlIDPMetaDataOptionsStoreSAMLToken",id:tpl+"s/"+key+"/"+"samlIDPMetaDataOptionsStoreSAMLToken",title:"samlIDPMetaDataOptionsStoreSAMLToken",type:"bool"},{get:tpl+"s/"+key+"/"+"samlIDPMetaDataOptionsUserAttribute",id:tpl+"s/"+key+"/"+"samlIDPMetaDataOptionsUserAttribute",title:"samlIDPMetaDataOptionsUserAttribute"}],id:"samlIDPMetaDataOptionsSession",title:"samlIDPMetaDataOptionsSession",type:"simpleInputContainer"},{_nodes:[{default:-1,get:tpl+"s/"+key+"/"+"samlIDPMetaDataOptionsSignSSOMessage",id:tpl+"s/"+key+"/"+"samlIDPMetaDataOptionsSignSSOMessage",title:"samlIDPMetaDataOptionsSignSSOMessage",type:"trool"},{default:1,get:tpl+"s/"+key+"/"+"samlIDPMetaDataOptionsCheckSSOMessageSignature",id:tpl+"s/"+key+"/"+"samlIDPMetaDataOptionsCheckSSOMessageSignature",title:"samlIDPMetaDataOptionsCheckSSOMessageSignature",type:"bool"},{default:-1,get:tpl+"s/"+key+"/"+"samlIDPMetaDataOptionsSignSLOMessage",id:tpl+"s/"+key+"/"+"samlIDPMetaDataOptionsSignSLOMessage",title:"samlIDPMetaDataOptionsSignSLOMessage",type:"trool"},{default:1,get:tpl+"s/"+key+"/"+"samlIDPMetaDataOptionsCheckSLOMessageSignature",id:tpl+"s/"+key+"/"+"samlIDPMetaDataOptionsCheckSLOMessageSignature",title:"samlIDPMetaDataOptionsCheckSLOMessageSignature",type:"bool"}],id:"samlIDPMetaDataOptionsSignature",title:"samlIDPMetaDataOptionsSignature",type:"simpleInputContainer"},{_nodes:[{default:"",get:tpl+"s/"+key+"/"+"samlIDPMetaDataOptionsSSOBinding",id:tpl+"s/"+key+"/"+"samlIDPMetaDataOptionsSSOBinding",select:[{k:"",v:""},{k:"http-post",v:"POST"},{k:"http-redirect",v:"Redirect"},{k:"artifact-get",v:"Artifact GET"}],title:"samlIDPMetaDataOptionsSSOBinding",type:"select"},{default:"",get:tpl+"s/"+key+"/"+"samlIDPMetaDataOptionsSLOBinding",id:tpl+"s/"+key+"/"+"samlIDPMetaDataOptionsSLOBinding",select:[{k:"",v:""},{k:"http-post",v:"POST"},{k:"http-redirect",v:"Redirect"},{k:"http-soap",v:"SOAP"}],title:"samlIDPMetaDataOptionsSLOBinding",type:"select"}],id:"samlIDPMetaDataOptionsBinding",title:"samlIDPMetaDataOptionsBinding",type:"simpleInputContainer"},{_nodes:[{default:"none",get:tpl+"s/"+key+"/"+"samlIDPMetaDataOptionsEncryptionMode",id:tpl+"s/"+key+"/"+"samlIDPMetaDataOptionsEncryptionMode",select:[{k:"none",v:"None"},{k:"nameid",v:"Name ID"},{k:"assertion",v:"Assertion"}],title:"samlIDPMetaDataOptionsEncryptionMode",type:"select"},{default:1,get:tpl+"s/"+key+"/"+"samlIDPMetaDataOptionsCheckTime",id:tpl+"s/"+key+"/"+"samlIDPMetaDataOptionsCheckTime",title:"samlIDPMetaDataOptionsCheckTime",type:"bool"},{default:1,get:tpl+"s/"+key+"/"+"samlIDPMetaDataOptionsCheckAudience",id:tpl+"s/"+key+"/"+"samlIDPMetaDataOptionsCheckAudience",title:"samlIDPMetaDataOptionsCheckAudience",type:"bool"}],id:"samlIDPMetaDataOptionsSecurity",title:"samlIDPMetaDataOptionsSecurity",type:"simpleInputContainer"},{_nodes:[{default:"",get:tpl+"s/"+key+"/"+"samlIDPMetaDataOptionsResolutionRule",id:tpl+"s/"+key+"/"+"samlIDPMetaDataOptionsResolutionRule",title:"samlIDPMetaDataOptionsResolutionRule",type:"longtext"},{default:"",get:tpl+"s/"+key+"/"+"samlIDPMetaDataOptionsNameIDFormat",id:tpl+"s/"+key+"/"+"samlIDPMetaDataOptionsNameIDFormat",select:[{k:"",v:""},{k:"unspecified",v:"Unspecified"},{k:"email",v:"Email"},{k:"x509",v:"X509 certificate"},{k:"windows",v:"Windows"},{k:"kerberos",v:"Kerberos"},{k:"entity",v:"Entity"},{k:"persistent",v:"Persistent"},{k:"transient",v:"Transient"},{k:"encrypted",v:"Encrypted"}],title:"samlIDPMetaDataOptionsNameIDFormat",type:"select"},{default:0,get:tpl+"s/"+key+"/"+"samlIDPMetaDataOptionsForceAuthn",id:tpl+"s/"+key+"/"+"samlIDPMetaDataOptionsForceAuthn",title:"samlIDPMetaDataOptionsForceAuthn",type:"bool"},{default:0,get:tpl+"s/"+key+"/"+"samlIDPMetaDataOptionsIsPassive",id:tpl+"s/"+key+"/"+"samlIDPMetaDataOptionsIsPassive",title:"samlIDPMetaDataOptionsIsPassive",type:"bool"},{default:0,get:tpl+"s/"+key+"/"+"samlIDPMetaDataOptionsAllowProxiedAuthn",id:tpl+"s/"+key+"/"+"samlIDPMetaDataOptionsAllowProxiedAuthn",title:"samlIDPMetaDataOptionsAllowProxiedAuthn",type:"bool"},{default:0,get:tpl+"s/"+key+"/"+"samlIDPMetaDataOptionsAllowLoginFromIDP",id:tpl+"s/"+key+"/"+"samlIDPMetaDataOptionsAllowLoginFromIDP",title:"samlIDPMetaDataOptionsAllowLoginFromIDP",type:"bool"},{default:"",get:tpl+"s/"+key+"/"+"samlIDPMetaDataOptionsRequestedAuthnContext",id:tpl+"s/"+key+"/"+"samlIDPMetaDataOptionsRequestedAuthnContext",select:[{k:"",v:""},{k:"kerberos",v:"Kerberos"},{k:"password-protected-transport",v:"Password protected transport"},{k:"password",v:"Password"},{k:"tls-client",v:"TLS client certificate"}],title:"samlIDPMetaDataOptionsRequestedAuthnContext",type:"select"},{default:0,get:tpl+"s/"+key+"/"+"samlIDPMetaDataOptionsRelayStateURL",id:tpl+"s/"+key+"/"+"samlIDPMetaDataOptionsRelayStateURL",title:"samlIDPMetaDataOptionsRelayStateURL",type:"bool"}],help:"authsaml.html#options",id:"samlIDPMetaDataOptions",title:"samlIDPMetaDataOptions",type:"simpleInputContainer"},{_nodes:[{get:tpl+"s/"+key+"/"+"samlIDPMetaDataOptionsDisplayName",id:tpl+"s/"+key+"/"+"samlIDPMetaDataOptionsDisplayName",title:"samlIDPMetaDataOptionsDisplayName"},{get:tpl+"s/"+key+"/"+"samlIDPMetaDataOptionsIcon",id:tpl+"s/"+key+"/"+"samlIDPMetaDataOptionsIcon",title:"samlIDPMetaDataOptionsIcon"},{get:tpl+"s/"+key+"/"+"samlIDPMetaDataOptionsSortNumber",id:tpl+"s/"+key+"/"+"samlIDPMetaDataOptionsSortNumber",title:"samlIDPMetaDataOptionsSortNumber",type:"int"}],id:"samlIDPMetaDataOptionsDisplay",title:"samlIDPMetaDataOptionsDisplay",type:"simpleInputContainer"}];case"samlSPMetaDataNode":return[{get:tpl+"s/"+key+"/"+"samlSPMetaDataXML",id:tpl+"s/"+key+"/"+"samlSPMetaDataXML",title:"samlSPMetaDataXML",type:"file"},{cnodes:tpl+"s/"+key+"/"+"samlSPMetaDataExportedAttributes",default:[],help:"idpsaml.html#exported_attributes",id:tpl+"s/"+key+"/"+"samlSPMetaDataExportedAttributes",title:"samlSPMetaDataExportedAttributes",type:"samlAttributeContainer"},{_nodes:[{_nodes:[{default:"",get:tpl+"s/"+key+"/"+"samlSPMetaDataOptionsNameIDFormat",id:tpl+"s/"+key+"/"+"samlSPMetaDataOptionsNameIDFormat",select:[{k:"",v:""},{k:"unspecified",v:"Unspecified"},{k:"email",v:"Email"},{k:"x509",v:"X509 certificate"},{k:"windows",v:"Windows"},{k:"kerberos",v:"Kerberos"},{k:"entity",v:"Entity"},{k:"persistent",v:"Persistent"},{k:"transient",v:"Transient"},{k:"encrypted",v:"Encrypted"}],title:"samlSPMetaDataOptionsNameIDFormat",type:"select"},{get:tpl+"s/"+key+"/"+"samlSPMetaDataOptionsNameIDSessionKey",id:tpl+"s/"+key+"/"+"samlSPMetaDataOptionsNameIDSessionKey",title:"samlSPMetaDataOptionsNameIDSessionKey"},{default:0,get:tpl+"s/"+key+"/"+"samlSPMetaDataOptionsOneTimeUse",id:tpl+"s/"+key+"/"+"samlSPMetaDataOptionsOneTimeUse",title:"samlSPMetaDataOptionsOneTimeUse",type:"bool"},{default:72e3,get:tpl+"s/"+key+"/"+"samlSPMetaDataOptionsSessionNotOnOrAfterTimeout",id:tpl+"s/"+key+"/"+"samlSPMetaDataOptionsSessionNotOnOrAfterTimeout",title:"samlSPMetaDataOptionsSessionNotOnOrAfterTimeout",type:"int"},{default:72e3,get:tpl+"s/"+key+"/"+"samlSPMetaDataOptionsNotOnOrAfterTimeout",id:tpl+"s/"+key+"/"+"samlSPMetaDataOptionsNotOnOrAfterTimeout",title:"samlSPMetaDataOptionsNotOnOrAfterTimeout",type:"int"},{default:1,get:tpl+"s/"+key+"/"+"samlSPMetaDataOptionsForceUTF8",id:tpl+"s/"+key+"/"+"samlSPMetaDataOptionsForceUTF8",title:"samlSPMetaDataOptionsForceUTF8",type:"bool"}],id:"samlSPMetaDataOptionsAuthnResponse",title:"samlSPMetaDataOptionsAuthnResponse",type:"simpleInputContainer"},{_nodes:[{default:-1,get:tpl+"s/"+key+"/"+"samlSPMetaDataOptionsSignSSOMessage",id:tpl+"s/"+key+"/"+"samlSPMetaDataOptionsSignSSOMessage",title:"samlSPMetaDataOptionsSignSSOMessage",type:"trool"},{default:1,get:tpl+"s/"+key+"/"+"samlSPMetaDataOptionsCheckSSOMessageSignature",id:tpl+"s/"+key+"/"+"samlSPMetaDataOptionsCheckSSOMessageSignature",title:"samlSPMetaDataOptionsCheckSSOMessageSignature",type:"bool"},{default:-1,get:tpl+"s/"+key+"/"+"samlSPMetaDataOptionsSignSLOMessage",id:tpl+"s/"+key+"/"+"samlSPMetaDataOptionsSignSLOMessage",title:"samlSPMetaDataOptionsSignSLOMessage",type:"trool"},{default:1,get:tpl+"s/"+key+"/"+"samlSPMetaDataOptionsCheckSLOMessageSignature",id:tpl+"s/"+key+"/"+"samlSPMetaDataOptionsCheckSLOMessageSignature",title:"samlSPMetaDataOptionsCheckSLOMessageSignature",type:"bool"}],id:"samlSPMetaDataOptionsSignature",title:"samlSPMetaDataOptionsSignature",type:"simpleInputContainer"},{_nodes:[{default:"none",get:tpl+"s/"+key+"/"+"samlSPMetaDataOptionsEncryptionMode",id:tpl+"s/"+key+"/"+"samlSPMetaDataOptionsEncryptionMode",select:[{k:"none",v:"None"},{k:"nameid",v:"Name ID"},{k:"assertion",v:"Assertion"}],title:"samlSPMetaDataOptionsEncryptionMode",type:"select"},{default:0,get:tpl+"s/"+key+"/"+"samlSPMetaDataOptionsEnableIDPInitiatedURL",id:tpl+"s/"+key+"/"+"samlSPMetaDataOptionsEnableIDPInitiatedURL",title:"samlSPMetaDataOptionsEnableIDPInitiatedURL",type:"bool"},{get:tpl+"s/"+key+"/"+"samlSPMetaDataOptionsRule",id:tpl+"s/"+key+"/"+"samlSPMetaDataOptionsRule",title:"samlSPMetaDataOptionsRule"}],id:"samlSPMetaDataOptionsSecurity",title:"samlSPMetaDataOptionsSecurity",type:"simpleInputContainer"}],help:"idpsaml.html#options",id:"samlSPMetaDataOptions",title:"samlSPMetaDataOptions"}];case"virtualHost":return[{cnodes:tpl+"s/"+key+"/"+"locationRules",default:[{data:"deny",id:tpl+"s/"+key+"/"+"locationRules/default",re:"default",title:"default",type:"rule"}],help:"writingrulesand_headers.html#rules",id:tpl+"s/"+key+"/"+"locationRules",title:"locationRules",type:"ruleContainer"},{cnodes:tpl+"s/"+key+"/"+"exportedHeaders",help:"writingrulesand_headers.html#headers",id:tpl+"s/"+key+"/"+"exportedHeaders",title:"exportedHeaders",type:"keyTextContainer"},{cnodes:tpl+"s/"+key+"/"+"post",help:"formreplay.html",id:tpl+"s/"+key+"/"+"post",title:"post",type:"postContainer"},{_nodes:[{default:-1,get:tpl+"s/"+key+"/"+"vhostPort",id:tpl+"s/"+key+"/"+"vhostPort",title:"vhostPort",type:"int"},{default:-1,get:tpl+"s/"+key+"/"+"vhostHttps",id:tpl+"s/"+key+"/"+"vhostHttps",title:"vhostHttps",type:"trool"},{default:0,get:tpl+"s/"+key+"/"+"vhostMaintenance",id:tpl+"s/"+key+"/"+"vhostMaintenance",title:"vhostMaintenance",type:"bool"},{get:tpl+"s/"+key+"/"+"vhostAliases",id:tpl+"s/"+key+"/"+"vhostAliases",title:"vhostAliases"},{default:"Main",get:tpl+"s/"+key+"/"+"vhostType",id:tpl+"s/"+key+"/"+"vhostType",select:[{k:"AuthBasic",v:"AuthBasic"},{k:"CDA",v:"CDA"},{k:"DevOps",v:"DevOps"},{k:"DevOpsST",v:"DevOpsST"},{k:"Main",v:"Main"},{k:"OAuth2",v:"OAuth2"},{k:"SecureToken",v:"SecureToken"},{k:"ServiceToken",v:"ServiceToken"},{k:"Zimbra",v:"ZimbraPreAuth"}],title:"vhostType",type:"select"},{get:tpl+"s/"+key+"/"+"vhostAuthnLevel",id:tpl+"s/"+key+"/"+"vhostAuthnLevel",title:"vhostAuthnLevel",type:"int"},{default:-1,get:tpl+"s/"+key+"/"+"vhostServiceTokenTTL",id:tpl+"s/"+key+"/"+"vhostServiceTokenTTL",title:"vhostServiceTokenTTL",type:"int"}],help:"configvhost.html#options",id:"vhostOptions",title:"vhostOptions",type:"simpleInputContainer"}];default:return[]}}function setScopeVars(scope){scope.portal=scope.data[0]._nodes[0]._nodes[0];scope.getKey(scope.portal);scope.domain=scope.data[0]._nodes[4]._nodes[1];scope.getKey(scope.domain)} From b12992755ff721338534d02b8f27cfddd1ccaab5 Mon Sep 17 00:00:00 2001 From: Maxime Besson Date: Mon, 27 May 2019 17:03:08 +0200 Subject: [PATCH 07/15] Preserve applicationList key names (#1521) Previously, every configuration save from the manager would overwrite applicationList key names to preserve their ordering. This commit introduces a new "order" key in the JSON config instead. --- .../Lemonldap/NG/Common/Conf/RESTServer.pm | 9 ++- .../lib/Lemonldap/NG/Manager/Conf/Diff.pm | 4 +- .../lib/Lemonldap/NG/Manager/Conf/Parser.pm | 69 ++++++++++++++----- lemonldap-ng-manager/t/conf/lmConf-1.json | 21 ++++-- .../lib/Lemonldap/NG/Portal/Main/Menu.pm | 42 ++++++++--- 5 files changed, 108 insertions(+), 37 deletions(-) diff --git a/lemonldap-ng-common/lib/Lemonldap/NG/Common/Conf/RESTServer.pm b/lemonldap-ng-common/lib/Lemonldap/NG/Common/Conf/RESTServer.pm index 9fe481c8a..57881ad63 100644 --- a/lemonldap-ng-common/lib/Lemonldap/NG/Common/Conf/RESTServer.pm +++ b/lemonldap-ng-common/lib/Lemonldap/NG/Common/Conf/RESTServer.pm @@ -644,7 +644,14 @@ sub _scanCatsAndApps { my ( $self, $apps, $baseId ) = @_; my @res; - foreach my $cat ( grep { not /^(?:catname|type)$/ } sort keys %$apps ) { + foreach my $cat ( + sort { + ( $apps->{$a}->{order} || 0 ) <=> ( $apps->{$b}->{order} || 0 ) + or $a cmp $b + } + grep { not /^(?:catname|type|order)$/ } keys %$apps + ) + { my $item = { id => "$baseId/$cat" }; if ( $apps->{$cat}->{type} eq 'category' ) { $item->{title} = $apps->{$cat}->{catname}; diff --git a/lemonldap-ng-manager/lib/Lemonldap/NG/Manager/Conf/Diff.pm b/lemonldap-ng-manager/lib/Lemonldap/NG/Manager/Conf/Diff.pm index 67b153a13..a1cf448a7 100644 --- a/lemonldap-ng-manager/lib/Lemonldap/NG/Manager/Conf/Diff.pm +++ b/lemonldap-ng-manager/lib/Lemonldap/NG/Manager/Conf/Diff.pm @@ -110,8 +110,8 @@ sub appListDiff { my ( $self, @conf ) = @_; my @res; my @keys = ( - [ sort grep { $_ !~ /^(?:catname|type)$/ } keys %{ $conf[0] } ], - [ sort grep { $_ !~ /^(?:catname|type)$/ } keys %{ $conf[1] } ] + [ sort grep { $_ !~ /^(?:catname|type|order)$/ } keys %{ $conf[0] } ], + [ sort grep { $_ !~ /^(?:catname|type|order)$/ } keys %{ $conf[1] } ] ); while ( my $key = shift @{ $keys[0] } ) { diff --git a/lemonldap-ng-manager/lib/Lemonldap/NG/Manager/Conf/Parser.pm b/lemonldap-ng-manager/lib/Lemonldap/NG/Manager/Conf/Parser.pm index 1da4ab75b..6b17e91fd 100644 --- a/lemonldap-ng-manager/lib/Lemonldap/NG/Manager/Conf/Parser.pm +++ b/lemonldap-ng-manager/lib/Lemonldap/NG/Manager/Conf/Parser.pm @@ -70,7 +70,7 @@ has confChanged => ( ); # Properties required during build -has refConf => ( is => 'ro', isa => 'HashRef', required => 1 ); +has refConf => ( is => 'ro', isa => 'HashRef', required => 1 ); has req => ( is => 'ro', required => 1 ); has newConf => ( is => 'rw', isa => 'HashRef' ); has tree => ( is => 'rw', isa => 'ArrayRef' ); @@ -160,7 +160,7 @@ sub _scanNodes { hdebug("Looking to $name"); # subnode - my $subNodes = $leaf->{nodes} // $leaf->{_nodes}; + my $subNodes = $leaf->{nodes} // $leaf->{_nodes}; my $subNodesCond = $leaf->{nodes_cond} // $leaf->{_nodes_cond}; ################################## @@ -587,6 +587,22 @@ sub _scanNodes { $cmp = $cmp->{$cat}; } + my $newapp = $app; + + # Compute a nice name for new nodes, taking care of potential conflicts + # For some reason, the manager sends /nNaN sometimes + if ( $newapp =~ /^n(\d+|NaN)$/ ) { + + # Remove all special characters + my $baseName = $leaf->{title} =~ s/\W//gr; + $baseName = lc $baseName; + $newapp = $baseName; + my $cnt = 1; + while ( exists $cn->{$newapp} ) { + $newapp = "${baseName}_" . $cnt++; + } + } + # Create new category # # Note that this works because nodes are ordered so "cat/cat2/app" @@ -594,11 +610,14 @@ sub _scanNodes { if ( $leaf->{type} eq 'menuCat' ) { hdebug(' menu cat'); $knownCat->{__id}++; - my $s = $knownCat->{$app} = sprintf '%04d-cat', - $knownCat->{__id}; - $cn->{$s} = { catname => $leaf->{title}, type => 'category' }; + $knownCat->{$app} = $newapp; + $cn->{$newapp} = { + catname => $leaf->{title}, + type => 'category', + order => $knownCat->{__id} + }; unless ($cmp->{$app} - and $cmp->{$app}->{catname} eq $cn->{$s}->{catname} ) + and $cmp->{$app}->{catname} eq $cn->{$newapp}->{catname} ) { $self->confChanged(1); push @{ $self->changes }, @@ -606,15 +625,17 @@ sub _scanNodes { key => join( ', ', 'applicationList', @path, $leaf->{title} ), - new => $cn->{$s}->{catname}, - old => ( $cn->{$s} ? $cn->{$s}->{catname} : undef ) + new => $cn->{$newapp}->{catname}, + old => ( + $cn->{$newapp} ? $cn->{$newapp}->{catname} : undef + ) }; } if ( ref $subNodes ) { $self->_scanNodes($subNodes) or return 0; } my @listCatRef = keys %{ $cmp->{$app} }; - my @listCatNew = keys %{ $cn->{$s} }; + my @listCatNew = keys %{ $cn->{$newapp} }; # Check for deleted unless ( @listCatRef == @listCatNew ) { @@ -631,10 +652,12 @@ sub _scanNodes { else { hdebug(' new app'); $knownCat->{__id}++; - my $name = sprintf( '%04d-app', $knownCat->{__id} ); - $cn->{$name} = - { type => 'application', options => $leaf->{data} }; - $cn->{$name}->{options}->{name} = $leaf->{title}; + $cn->{$newapp} = { + type => 'application', + options => $leaf->{data}, + order => $knownCat->{__id} + }; + $cn->{$newapp}->{options}->{name} = $leaf->{title}; unless ( $cmp->{$app} ) { $self->confChanged(1); push @{ $self->changes }, @@ -644,9 +667,17 @@ sub _scanNodes { }; } else { - foreach my $k ( keys %{ $cn->{$name}->{options} } ) { + # Check for change in ordering + if ( ( $cn->{$newapp}->{order} || 0 ) != + ( $cmp->{$newapp}->{order} || 0 ) ) + { + $self->confChanged(1); + } + + # Check for change in options + foreach my $k ( keys %{ $cn->{$newapp}->{options} } ) { unless ( $cmp->{$app}->{options}->{$k} eq - $cn->{$name}->{options}->{$k} ) + $cn->{$newapp}->{options}->{$k} ) { $self->confChanged(1); push @{ $self->changes }, @@ -654,7 +685,7 @@ sub _scanNodes { key => join( ', ', 'applicationList', @path, $leaf->{title}, $k ), - new => $cn->{$name}->{options}->{$k}, + new => $cn->{$newapp}->{options}->{$k}, old => $cmp->{$app}->{options}->{$k} }; } @@ -1070,14 +1101,14 @@ sub _unitTest { or $attr->{type} =~ /Container$/ ) { my $keyMsg = $attr->{keyMsgFail} // $type->{keyMsgFail}; - my $msg = $attr->{msgFail} // $type->{msgFail}; + my $msg = $attr->{msgFail} // $type->{msgFail}; $res = 0 unless ( $self->_execTest( { - keyTest => $attr->{keyTest} // $type->{keyTest}, + keyTest => $attr->{keyTest} // $type->{keyTest}, keyMsgFail => $attr->{keyMsgFail} // $type->{keyMsgFail}, - test => $attr->{test} // $type->{test}, + test => $attr->{test} // $type->{test}, msgFail => $attr->{msgFail} // $type->{msgFail}, }, $conf->{$key}, diff --git a/lemonldap-ng-manager/t/conf/lmConf-1.json b/lemonldap-ng-manager/t/conf/lmConf-1.json index 019529326..29563bd15 100644 --- a/lemonldap-ng-manager/t/conf/lmConf-1.json +++ b/lemonldap-ng-manager/t/conf/lmConf-1.json @@ -1,7 +1,6 @@ { "applicationList": { "0001-cat": { - "catname": "Sample applications", "0002-app": { "options": { "description": "A simple application displaying authenticated user", @@ -10,6 +9,7 @@ "name": "Application Test 1", "uri": "http://test1.example.com/" }, + "order": 2, "type": "application" }, "0003-app": { @@ -20,12 +20,14 @@ "name": "Application Test 2", "uri": "http://test2.example.com/" }, + "order": 3, "type": "application" }, + "catname": "Sample applications", + "order": 1, "type": "category" }, "0004-cat": { - "catname": "Administration", "0005-app": { "options": { "description": "Configure LemonLDAP::NG WebSSO", @@ -34,6 +36,7 @@ "name": "WebSSO Manager", "uri": "http://manager.example.com/" }, + "order": 5, "type": "application" }, "0006-app": { @@ -44,6 +47,7 @@ "name": "Notifications explorer", "uri": "http://manager.example.com/notifications" }, + "order": 6, "type": "application" }, "0007-app": { @@ -54,12 +58,14 @@ "name": "Sessions explorer", "uri": "http://manager.example.com/sessions" }, + "order": 7, "type": "application" }, + "catname": "Administration", + "order": 4, "type": "category" }, "0008-cat": { - "catname": "Documentation", "0009-app": { "options": { "description": "Documentation supplied with LemonLDAP::NG", @@ -68,6 +74,7 @@ "name": "Local documentation", "uri": "http://manager.example.com/doc/" }, + "order": 9, "type": "application" }, "0010-app": { @@ -78,8 +85,11 @@ "name": "Official Website", "uri": "http://lemonldap-ng.org/" }, + "order": 10, "type": "application" }, + "catname": "Documentation", + "order": 8, "type": "category" } }, @@ -104,8 +114,7 @@ "Auth-User": "$uid" } }, - "exportedVars": { - }, + "exportedVars": {}, "globalStorage": "Apache::Session::File", "globalStorageOptions": { "Directory": "t/sessions", @@ -132,11 +141,11 @@ "_whatToTrace": "$_auth eq 'SAML' ? \"$_user\\@$_idpConfKey\" : \"$_user\"" }, "notification": 1, - "oldNotifFormat": 0, "notificationStorage": "File", "notificationStorageOptions": { "dirName": "t/notifications" }, + "oldNotifFormat": 0, "passwordDB": "Demo", "persistentStorage": "Apache::Session::File", "persistentStorageOptions": { diff --git a/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Main/Menu.pm b/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Main/Menu.pm index 65adc8fff..62a13657e 100644 --- a/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Main/Menu.pm +++ b/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Main/Menu.pm @@ -193,7 +193,7 @@ sub _buildCategoryHash { # Extract applications from hash my $apphash; foreach my $catkey ( sort keys %$cathash ) { - next if $catkey =~ /(type|options|catname)/; + next if $catkey =~ /(type|options|catname|order)/; if ( $cathash->{$catkey}->{type} eq "application" ) { $apphash->{$catkey} = $cathash->{$catkey}; } @@ -201,15 +201,29 @@ sub _buildCategoryHash { # Display applications first if ( scalar keys %$apphash > 0 ) { - foreach my $appkey ( sort keys %$apphash ) { + foreach my $appkey ( + sort { + ($apphash->{$a}->{order} || 0) <=> ($apphash->{$b}->{order} || 0) + or $a cmp $b + } + keys %$apphash + ) + { push @$applications, $self->_buildApplicationHash( $appkey, $apphash->{$appkey} ); } } # Display subcategories - foreach my $catkey ( sort keys %$cathash ) { - next if $catkey =~ /(type|options|catname)/; + foreach my $catkey ( + sort { + ($cathash->{$a}->{order} || 0) <=> ($cathash->{$b}->{order} || 0) + or $a cmp $b + } + grep { not /^(?:catname|type|options|order)$/ } keys %$cathash + ) + { + if ( $cathash->{$catkey}->{type} eq "category" ) { push @$categories, $self->_buildCategoryHash( $req, $catkey, $cathash->{$catkey}, @@ -246,7 +260,7 @@ sub _buildApplicationHash { # Detect sub applications my $subapphash; foreach my $key ( sort keys %$apphash ) { - next if $key =~ /(type|options|catname)/; + next if $key =~ /(type|options|catname|order)/; if ( $apphash->{$key}->{type} eq "application" ) { $subapphash->{$key} = $apphash->{$key}; } @@ -254,7 +268,14 @@ sub _buildApplicationHash { # Display sub applications if ( scalar keys %$subapphash > 0 ) { - foreach my $appkey ( sort keys %$subapphash ) { + foreach my $appkey ( + sort { + ($subapphash->{$a}->{order} || 0) <=> ( $subapphash->{$b}->{order} || 0 ) + or $a cmp $b + } + keys %$subapphash + ) + { push @$applications, $self->_buildApplicationHash( $appkey, $subapphash->{$appkey} ); } @@ -305,7 +326,7 @@ sub _filterHash { my ( $self, $req, $apphash ) = @_; foreach my $key ( keys %$apphash ) { - next if $key =~ /(type|options|catname)/; + next if $key =~ /(type|options|catname|order)/; if ( $apphash->{$key}->{type} and $apphash->{$key}->{type} eq "category" ) { @@ -319,7 +340,7 @@ sub _filterHash { # Find sub applications and filter them foreach my $appkey ( keys %{ $apphash->{$key} } ) { - next if $appkey =~ /(type|options|catname)/; + next if $appkey =~ /(type|options|catname|order)/; # We have sub elements, so we filter them $self->_filterHash( $req, $apphash->{$key} ); @@ -393,7 +414,7 @@ sub _isCategoryEmpty { # Test sub categories foreach $key ( keys %$apphash ) { - next if $key =~ /(type|options|catname)/; + next if $key =~ /(type|options|catname|order)/; if ( $apphash->{$key}->{type} and $apphash->{$key}->{type} eq "category" ) { @@ -408,10 +429,12 @@ sub _isCategoryEmpty { # Temporary store 'options' my $tmp_options = $apphash->{options}; my $tmp_catname = $apphash->{catname}; + my $tmp_order = $apphash->{order}; delete $apphash->{type}; delete $apphash->{options}; delete $apphash->{catname}; + delete $apphash->{order}; if ( scalar( keys %$apphash ) ) { @@ -420,6 +443,7 @@ sub _isCategoryEmpty { $apphash->{type} = "category"; $apphash->{options} = $tmp_options; $apphash->{catname} = $tmp_catname; + $apphash->{order} = $tmp_order; # Return false return 0; From 5126e9003b7db73c1747bcf1f592e11bc83d824c Mon Sep 17 00:00:00 2001 From: Christophe Maudoux Date: Tue, 28 May 2019 17:32:06 +0200 Subject: [PATCH 08/15] Allow double sessions for double cookies with singleSession (#1775) --- .../NG/Portal/Plugins/SingleSession.pm | 23 +++++++++++-------- 1 file changed, 13 insertions(+), 10 deletions(-) diff --git a/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Plugins/SingleSession.pm b/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Plugins/SingleSession.pm index 441819fe2..18b91794b 100644 --- a/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Plugins/SingleSession.pm +++ b/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Plugins/SingleSession.pm @@ -4,7 +4,7 @@ use strict; use Mouse; use Lemonldap::NG::Portal::Main::Constants qw(PE_OK); -our $VERSION = '2.0.0'; +our $VERSION = '2.0.5'; extends 'Lemonldap::NG::Portal::Main::Plugin', 'Lemonldap::NG::Portal::Lib::OtherSessions'; @@ -15,10 +15,10 @@ sub init { 1 } sub run { my ( $self, $req ) = @_; - my $deleted = []; - my $otherSessions = []; - my $httpSessionId = ''; - my $moduleOptions = $self->conf->{globalStorageOptions} || {}; + my $deleted = []; + my $otherSessions = []; + my $linkedSessionId = ''; + my $moduleOptions = $self->conf->{globalStorageOptions} || {}; $moduleOptions->{backend} = $self->conf->{globalStorage}; my $sessions = $self->module->searchOn( @@ -27,16 +27,19 @@ sub run { $req->{sessionInfo}->{ $self->conf->{whatToTrace} } ); - if ( $self->conf->{securedCookie} == 2 ){ + if ( $self->conf->{securedCookie} == 2 ) { $self->logger->debug("Looking for double sessions..."); - foreach my $id ( keys %$sessions ) { - $httpSessionId = $sessions->{$id}->{_session_id} if $sessions->{$id}->{_httpSessionType}; - } + $linkedSessionId = $sessions->{ $req->id }->{_httpSession}; + my $msg = + $linkedSessionId + ? "Linked session found -> $linkedSessionId / " . $req->id + : "NO linked session found!"; + $self->logger->debug($msg); } foreach my $id ( keys %$sessions ) { next if ( $req->id eq $id ); - next if ( $httpSessionId and $id eq $httpSessionId ); + next if ( $linkedSessionId and $id eq $linkedSessionId ); my $session = $self->p->getApacheSession($id) or next; if ( $self->conf->{singleSession} From acd6ba50e86e8bc7597dabf8bcf16225a3a14f76 Mon Sep 17 00:00:00 2001 From: Xavier Date: Tue, 28 May 2019 19:52:08 +0200 Subject: [PATCH 09/15] Fix some missing $req (#1777) --- .../lib/Lemonldap/NG/Common/Conf/RESTServer.pm | 7 ++++--- .../lib/Lemonldap/NG/Portal/Issuer/OpenIDConnect.pm | 4 ++-- 2 files changed, 6 insertions(+), 5 deletions(-) diff --git a/lemonldap-ng-common/lib/Lemonldap/NG/Common/Conf/RESTServer.pm b/lemonldap-ng-common/lib/Lemonldap/NG/Common/Conf/RESTServer.pm index 9fe481c8a..92b24e436 100644 --- a/lemonldap-ng-common/lib/Lemonldap/NG/Common/Conf/RESTServer.pm +++ b/lemonldap-ng-common/lib/Lemonldap/NG/Common/Conf/RESTServer.pm @@ -571,7 +571,8 @@ sub authChoiceModules { #@return PSGI JSON response sub grantSessionRules { my ( $self, $req, $key ) = @_; - return $self->sendError( 'Subkeys forbidden for grantSessionRules', 400 ) + return $self->sendError( $req, 'Subkeys forbidden for grantSessionRules', + 400 ) if ($key); my $value = $self->getConfKey( $req, 'grantSessionRules' ); my @res; @@ -605,7 +606,7 @@ sub grantSessionRules { # Split openIdIDPList parameter into 2 elements sub openIdIDPList { my ( $self, $req, $key ) = @_; - return $self->sendError( 'Subkeys forbidden for openIdIDPList', 400 ) + return $self->sendError( $req, 'Subkeys forbidden for openIdIDPList', 400 ) if ($key); my $value = $self->getConfKey( $req, 'openIdIDPList' ); $value //= '0;'; @@ -673,7 +674,7 @@ sub _scanCatsAndApps { # Returns raw value, just transform "over" key sub combModules { my ( $self, $req, $key ) = @_; - return $self->sendError( 'Subkeys forbidden for combModules', 400 ) + return $self->sendError( $req, 'Subkeys forbidden for combModules', 400 ) if ($key); my $val = $self->getConfKey( $req, 'combModules' ) // {}; my $res = []; diff --git a/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Issuer/OpenIDConnect.pm b/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Issuer/OpenIDConnect.pm index 4bc9cb103..7c8e3bd45 100644 --- a/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Issuer/OpenIDConnect.pm +++ b/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Issuer/OpenIDConnect.pm @@ -996,13 +996,13 @@ sub token { $self->logger->error( "Relying Party $rp is confidential but no client secret was provided to authenticate on token endpoint" ); - return $self->p->sendError( 'invalid_request', 400 ); + return $self->p->sendError( $req, 'invalid_request', 400 ); } unless ( $client_secret eq $self->conf->{oidcRPMetaDataOptions}->{$rp} ->{oidcRPMetaDataOptionsClientSecret} ) { $self->logger->error("Wrong credentials for $rp"); - return $self->p->sendError( 'invalid_request', 400 ); + return $self->p->sendError( $req, 'invalid_request', 400 ); } } From 82171e9a9040cbe1e9d225059300b6bfec4993c1 Mon Sep 17 00:00:00 2001 From: Xavier Date: Tue, 28 May 2019 21:45:54 +0200 Subject: [PATCH 10/15] Fix missing $req in SLO responses (#1777) --- lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Issuer/SAML.pm | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Issuer/SAML.pm b/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Issuer/SAML.pm index df7bdc92e..35cbf79fd 100644 --- a/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Issuer/SAML.pm +++ b/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Issuer/SAML.pm @@ -1617,7 +1617,7 @@ sub sloServer { unless ($local_session) { $self->logger->error("No local session found"); - return $self->sendSLOErrorResponse( $logout, $method ); + return $self->sendSLOErrorResponse( $req, $logout, $method ); } # Load Session and Identity if they exist @@ -1668,7 +1668,7 @@ sub sloServer { } # Check Destination - return $self->sendSLOErrorResponse( $logout, $method ) + return $self->sendSLOErrorResponse( $req, $logout, $method ) unless ( $self->checkDestination( $logout->request, $url ) ); # Validate request if no previous error @@ -1718,7 +1718,7 @@ sub sloServer { unless ($signSLOMessage) { $self->logger->debug("Do not sign this SLO response"); - return $self->sendSLOErrorResponse( $logout, $method ) + return $self->sendSLOErrorResponse( $req, $logout, $method ) unless ( $self->disableSignature($logout) ); } From ead61416e0f59be74e182272b0cd67e81a65c06e Mon Sep 17 00:00:00 2001 From: Xavier Date: Tue, 28 May 2019 21:50:07 +0200 Subject: [PATCH 11/15] Add test for #1777 --- .../t/30-SAML-POST-Logout-when-expired.t | 465 ++++++++++++++++++ 1 file changed, 465 insertions(+) create mode 100644 lemonldap-ng-portal/t/30-SAML-POST-Logout-when-expired.t diff --git a/lemonldap-ng-portal/t/30-SAML-POST-Logout-when-expired.t b/lemonldap-ng-portal/t/30-SAML-POST-Logout-when-expired.t new file mode 100644 index 000000000..0cf120694 --- /dev/null +++ b/lemonldap-ng-portal/t/30-SAML-POST-Logout-when-expired.t @@ -0,0 +1,465 @@ +use lib 'inc'; +use Test::More; +use strict; +use IO::String; +use LWP::UserAgent; +use LWP::Protocol::PSGI; +use MIME::Base64; + +BEGIN { + require 't/test-lib.pm'; + require 't/saml-lib.pm'; +} + +my $maintests = 18; +my $debug = 'error'; +my $timeout = 1; +my ( $issuer, $sp, $res ); +my %handlerOR = ( issuer => [], sp => [] ); + +# Redefine LWP methods for tests +LWP::Protocol::PSGI->register( + sub { + my $req = Plack::Request->new(@_); + fail('POST should not launch SOAP requests'); + count(1); + return [ 500, [], [] ]; + } +); + +SKIP: { + eval "use Lasso"; + if ($@) { + skip 'Lasso not found', $maintests; + } + + # Initialization + ok( $issuer = issuer(), 'Issuer portal' ); + $handlerOR{issuer} = \@Lemonldap::NG::Handler::Main::_onReload; + switch ('sp'); + &Lemonldap::NG::Handler::Main::cfgNum( 0, 0 ); + + ok( $sp = sp(), 'SP portal' ); + $handlerOR{sp} = \@Lemonldap::NG::Handler::Main::_onReload; + + # Simple SP access + my $res; + ok( + $res = $sp->_get( + '/', accept => 'text/html', + ), + 'Unauth SP request' + ); + expectOK($res); + ok( expectCookie( $res, 'lemonldapidp' ), 'IDP cookie defined' ) + or explain( + $res->[1], +'Set-Cookie => lemonldapidp=http://auth.idp.com/saml/metadata; domain=.sp.com; path=/' + ); + my ( $host, $url, $s ) = + expectAutoPost( $res, 'auth.idp.com', '/saml/singleSignOn', + 'SAMLRequest' ); + + # Push SAML request to IdP + switch ('issuer'); + ok( + $res = $issuer->_post( + $url, + IO::String->new($s), + accept => 'text/html', + length => length($s) + ), + 'Post SAML request to IdP' + ); + expectOK($res); + my $pdata = 'lemonldappdata=' . expectCookie( $res, 'lemonldappdata' ); + + # Try to authenticate with an unauthorized user to IdP + $s = "user=dwho&password=dwho&$s"; + ok( + $res = $issuer->_post( + $url, + IO::String->new($s), + accept => 'text/html', + cookie => $pdata, + length => length($s), + ), + 'Post authentication' + ); + ok( $res->[2]->[0] =~ /trmsg="89"/, 'Reject reason is 89' ) + or print STDERR Dumper( $res->[2]->[0] ); + + # Simple SP access + ok( + $res = $sp->_get( + '/', accept => 'text/html', + ), + 'Unauth SP request' + ); + expectOK($res); + ok( expectCookie( $res, 'lemonldapidp' ), 'IDP cookie defined' ) + or explain( + $res->[1], +'Set-Cookie => lemonldapidp=http://auth.idp.com/saml/metadata; domain=.sp.com; path=/' + ); + ( $host, $url, $s ) = + expectAutoPost( $res, 'auth.idp.com', '/saml/singleSignOn', + 'SAMLRequest' ); + + # Push SAML request to IdP + ok( + $res = $issuer->_post( + $url, + IO::String->new($s), + accept => 'text/html', + length => length($s) + ), + 'Post SAML request to IdP' + ); + expectOK($res); + $pdata = 'lemonldappdata=' . expectCookie( $res, 'lemonldappdata' ); + + # Try to authenticate with an authorized user to IdP + $s = "user=french&password=french&$s"; + ok( + $res = $issuer->_post( + $url, + IO::String->new($s), + accept => 'text/html', + cookie => $pdata, + length => length($s), + ), + 'Post authentication' + ); + my $idpId = expectCookie($res); + + # Expect pdata to be cleared + $pdata = expectCookie( $res, 'lemonldappdata' ); + ok( $pdata !~ 'issuerRequestsaml', 'SAML request cleared from pdata' ); + + ( $host, $url, $s ) = + expectAutoPost( $res, 'auth.sp.com', '/saml/proxySingleSignOnPost', + 'SAMLResponse' ); + + # Post SAML response to SP + switch ('sp'); + ok( + $res = $sp->_post( + $url, IO::String->new($s), + accept => 'text/html', + length => length($s), + cookie => 'lemonldapidp=http://auth.idp.com/saml/metadata', + ), + 'Post SAML response to SP' + ); + + # Verify authentication on SP + expectRedirection( $res, 'http://auth.sp.com' ); + my $spId = expectCookie($res); + + ok( $res = $sp->_get( '/', cookie => "lemonldap=$spId" ), 'Get / on SP' ); + expectOK($res); + expectAuthenticatedAs( $res, 'fa@badwolf.org@idp' ); + + # Logout initiated by SP + ok( + $res = $sp->_get( + '/', + query => 'logout', + cookie => "lemonldap=$spId", + accept => 'text/html' + ), + 'Query SP for logout' + ); + ( $host, $url, $s ) = + expectAutoPost( $res, 'auth.idp.com', '/saml/singleLogout', + 'SAMLRequest' ); + + diag 'Waiting'; + sleep $timeout + 1; + + # Push SAML logout request to IdP + switch ('issuer'); + ok( + $res = $issuer->_post( + $url, + IO::String->new($s), + accept => 'text/html', + cookie => "lemonldap=$idpId", + length => length($s) + ), + 'Post SAML logout request to IdP' + ); + ( $host, $url, $s ) = + expectAutoPost( $res, 'auth.sp.com', '/saml/proxySingleLogoutReturn', + 'SAMLResponse' ); + + # Post SAML response to SP + switch ('sp'); + ok( + $res = $sp->_post( + $url, IO::String->new($s), + accept => 'text/html', + length => length($s), + cookie => 'lemonldapidp=http://auth.idp.com/saml/metadata', + ), + 'Post SAML response to SP' + ); + ok($res->[2]->[0] =~ /trmsg="56"/, 'Found SLO error'); +} + +count($maintests); +clean_sessions(); +done_testing( count() ); + +sub switch { + my $type = shift; + @Lemonldap::NG::Handler::Main::_onReload = @{ + $handlerOR{$type}; + }; +} + +sub issuer { + return LLNG::Manager::Test->new( { + ini => { + timeout => $timeout, + logLevel => $debug, + domain => 'idp.com', + portal => 'http://auth.idp.com', + authentication => 'Demo', + userDB => 'Same', + issuerDBSAMLActivation => 1, + issuerDBSAMLRule => '$uid eq "french"', + samlSPMetaDataOptions => { + 'sp.com' => { + samlSPMetaDataOptionsEncryptionMode => 'none', + samlSPMetaDataOptionsSignSSOMessage => 1, + samlSPMetaDataOptionsSignSLOMessage => 1, + samlSPMetaDataOptionsCheckSSOMessageSignature => 1, + samlSPMetaDataOptionsCheckSLOMessageSignature => 1, + } + }, + samlSPMetaDataExportedAttributes => { + 'sp.com' => { + cn => +'1;cn;urn:oasis:names:tc:SAML:2.0:attrname-format:basic', + uid => +'1;uid;urn:oasis:names:tc:SAML:2.0:attrname-format:basic', + } + }, + samlOrganizationDisplayName => "IDP", + samlOrganizationName => "IDP", + samlOrganizationURL => "http://www.idp.com/", + samlServicePrivateKeyEnc => "-----BEGIN RSA PRIVATE KEY----- +MIIEogIBAAKCAQEAnfKBDG/K0TnGT7Xu8q1N45sNWvIK91SqNg8nvN2uVeKoHADT +csus5Xn3id5+8Q9TuMFsW9kIEeXiaPKXQa9ryfSNDhWDWloNkpGEeWif2BnHUu46 +Abu1UBWb0mH6VwcG1PR4qHruLis1odjQ1qnVDNfSEASVIppEBYjDX203ypmURIzU +6h53GRRRlf1BLWkbVn9ysmDeR57Xw5Rsx/+tBlcnMrkv/40DSUkehQIl2JmlFrl2 +Caik+gU4pd20apA/pNLjBZF0OmGoS08AIR5NMd0KFa6CwZUUSHJqH5GFy5Y2yl4l +g8K0klAS9q7L7aXI+eFQZhkwidjpxXnHPyxIGQIDAQABAoIBAHnfqjX3eO8SfnP5 +NURp90Td2mNHirCn0qLd9NKl1ySMPR1GgeH9SQ7Umu32EcteAUL5dOw2PiTZVmeW +cKINgsWVftXUQcOQ4xIqWKb51QUBdy0FhxrZRSFjWxXt5iYK1PmzHfsax/g1/S9C +RnqtFyjOy1bywkSt9jiy+9YBR2B7BDhLHlILbijWn5zaecaV4YA+L1UK4M/mehdb ++0FVPavbGpnlqBRTY+7YXfZ/mRPCfn5DvO9lW1O0pJMmNdBh9kmm3DxHf6AkK47a +43gO/dRWiWo2rZ/+Jw7uyqOb23U0MydP7kia0p3tzCUBPsrlgnichYG5RNFp0wqy +3VT1TYECgYEA0Y9vENy1jJd+s7WbGrsRtSKxfZgtJr0yjSlQVYrIlwbZSGn+ndxq +V2vVlwIgLX3pz6T40BMfk6SNx08jjy0Sgn6OAM0ILrinno8yWcSAMCmfCU0S/3O1 +55bqtcnk4XTHBHzJ5OrnrPaW5ourvJz0lcWEKMg3BXxLzaF6ZRy85nECgYEAwPMD +LNAKLCDrUMyYFOpPyPLe7wvszcFvPipGgerSgFP1c6N7xaMUdHDYqBfuis1khPGF +YcMHeNBYmzX6yEGbp3lrB4PHpUySmTU3mv3u9I05aahInK21gXum3uRkCWyyIF6V +T/qeszl9mVOCp0CC4eG3IMVpaD0UKDEHVhERYCkCgYAjuTPRyA4a3Wh38ilysRkf +q75eDqcDx5Tqg3RyYKo5NK2troP9HSnzpSpQB8i8eI53G0RfFCN5479XjqIdMi3J +mRFUCZ+vd0L7wKVwsBK6Ix49U6o9adhElnGEc9pUpLeYiD1SjMjZr1+iBYVNLeRz +86vH1/mpMbsqXrCis/dvwQKBgGttomHr/w3s0jftget7PirrFrbP0+wHfDGHhjRF +kyhCFtJovrwefYALaIXGtVjw3LusYZA570oT7pGUb2naJZkMYEwR0jG1vZWx7KDO +K6JbkxDB0pPxn7JVL2bAkPYyX8boAohCSOQO6WBZ/8+xem3bp4OGhpa0EyoBik0g +OaVpAoGATj4SyYsE10hGT676iie8zy3fi5IPC3E+x4QlVuusaLtuY8LJA50stjtx +gUa/JAKlZZL+gvzvOviQIxyfIChXOdTt5uiOYkdHJDbAF3NSrji7hrXq4v8UZv75 +8hBrwJZIpy6y01dRlrriHmPRtEq1pk7JX2uUg0sP5g4BEcsaCbc= +-----END RSA PRIVATE KEY----- +", + samlServicePrivateKeySig => "-----BEGIN RSA PRIVATE KEY----- +MIIEpAIBAAKCAQEAtR/wgDqWB4Maho5V6TjcL/NbNfjgIh7GcgkrB5RZcVT1GTej +JlMjUQdgBKBuZXQN+7/29P6UcGq1kYalURq6S8SpeJ1ofp5rBEoD/TIkvU0JOcid +65wp+fdzXGXsfiZvHraU74jSCgjP/wqfVGRyBIQzB0SIxSpnrsigqNsE1E94toDM +x4wovjHu/9ABAImREV7Sz83OeFF00/sghrjTEJOD/gHf04JCn9MgNOqvSTysr9LX +Wg/oUKQDEYeTq9ux6pq/oqv1MxwONbSZPtN5yD41mi+hT8Rh+W8Je8rsiML4VMxz +sb1l9303asw6suo5bLTISKNSbu1nt1NkpNxzywIDAQABAoIBAQCQkbvPPfP+bwC/ +IeEk1IO7qkzFWa7czR+safD0jc6OjTdNN4F716Q6yt4zEzLKu8VliiW+C23EBQiD +7asKf4DvdTun0ExVtHDK7aEdeealSlXwz1ZtdypyILbtq1UGo/rR0v4x601rQPl0 +IrBmFf6D6FkqleNtLJmxguXpoVfLdYKNwkxH2ux+GOA9r2o5pUCQmJGDap5YWRuQ +uB71ewJjVWujaL3e1ac/5cP7/tqWmgAiOaN8sYdD6+oWOR47bHj8JKcMBSl4y2QC +dL31cGmmf5KqBbtISki3RXfHHjT7E3Z85CbESkKTZlEb1ar3XmepY6Z7V5UO16oz +fFE5R6khAoGBAOl9Qb+qYVVO5ugE65ORjYVeuXykANhM9ssiY5a6zuAakWzw7Zv3 +k6PXm9p7azlEXAlTnTXVwHYMyuuzZDvQ8LRV1iBOdPuIkUAmaQ5K9ASD7VcoHexh +k8DAKf9Ln7sTRaMdvgceRNczOmJOBIEpTZkssA/jVGXZsoyTWYl1en/ZAoGBAMaW +RnNbSNprEV2b8UeAJ6i77c4SXwu1I8X2NLtiLScb1ETBjfrdHmdlJglfyd/0gmhH +p/43Ku2iGUoY5KtuOI6QmahrJYQscRQhoj252VXadG6fNWWAlpgdCm9houhHb5BF +3zge/bTr0anUe9EA7Z/ymav12rEouoNjIlhI9C5DAoGATR85a2SMt8/TB0owwdJu +62GpZNkLCmcJkXkvaecUVAOSi2hdI4o4MwMRkK35cbX5rH74y4JqCtQY5pefgP53 +sykzDAK+MyMdzxGg2764MRGegI5Yq+5jDmSquo+xF+q6srEtRk6iMG7UVwosBLmu +zuxqzySoiOfKSRKWnYe3SakCgYEAwWMkVkAmETXE4oDzFSsS8/mW2l//mPocTTK3 +JWe1CunJ6+8FYbAlZJEW2ngismp8+CoXybNVpbZ+pC7buKoMf6EHUgCNt0pEEFO0 +mCG9KSMk0XlPWXpArP9S4yaUq1itpzSz7QYZES+4rIcU0HLz9RgeWFyCTJWaFErc +7laVG9sCgYBKOtk5WlIOP4BxSd2y4cYzohgwTZIs1/2kTEn1u4eH73M1xvAlHHFB +wSF5QXgDKJ8pPAOhNWpdLO/PdtnQn91nOvTNc+ShJZzjdbneUdQVpWpoBf72uA+N +6rIVf1JBUL2p7HFHaGdUZC7KGQ+yv6ZHrE1+7202nuDvJdvGEEdFsQ== +-----END RSA PRIVATE KEY----- +", + samlServicePublicKeyEnc => "-----BEGIN PUBLIC KEY----- +MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAnfKBDG/K0TnGT7Xu8q1N +45sNWvIK91SqNg8nvN2uVeKoHADTcsus5Xn3id5+8Q9TuMFsW9kIEeXiaPKXQa9r +yfSNDhWDWloNkpGEeWif2BnHUu46Abu1UBWb0mH6VwcG1PR4qHruLis1odjQ1qnV +DNfSEASVIppEBYjDX203ypmURIzU6h53GRRRlf1BLWkbVn9ysmDeR57Xw5Rsx/+t +BlcnMrkv/40DSUkehQIl2JmlFrl2Caik+gU4pd20apA/pNLjBZF0OmGoS08AIR5N +Md0KFa6CwZUUSHJqH5GFy5Y2yl4lg8K0klAS9q7L7aXI+eFQZhkwidjpxXnHPyxI +GQIDAQAB +-----END PUBLIC KEY----- +", + samlServicePublicKeySig => "-----BEGIN PUBLIC KEY----- +MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAtR/wgDqWB4Maho5V6Tjc +L/NbNfjgIh7GcgkrB5RZcVT1GTejJlMjUQdgBKBuZXQN+7/29P6UcGq1kYalURq6 +S8SpeJ1ofp5rBEoD/TIkvU0JOcid65wp+fdzXGXsfiZvHraU74jSCgjP/wqfVGRy +BIQzB0SIxSpnrsigqNsE1E94toDMx4wovjHu/9ABAImREV7Sz83OeFF00/sghrjT +EJOD/gHf04JCn9MgNOqvSTysr9LXWg/oUKQDEYeTq9ux6pq/oqv1MxwONbSZPtN5 +yD41mi+hT8Rh+W8Je8rsiML4VMxzsb1l9303asw6suo5bLTISKNSbu1nt1NkpNxz +ywIDAQAB +-----END PUBLIC KEY----- +", + samlSPMetaDataXML => { + "sp.com" => { + samlSPMetaDataXML => + samlSPMetaDataXML( 'sp', 'HTTP-POST' ) + }, + }, + } + } + ); +} + +sub sp { + return LLNG::Manager::Test->new( { + ini => { + logLevel => $debug, + timeout => $timeout, + domain => 'sp.com', + portal => 'http://auth.sp.com', + authentication => 'SAML', + userDB => 'Same', + issuerDBSAMLActivation => 0, + restSessionServer => 1, + samlIDPMetaDataExportedAttributes => { + idp => { + mail => "0;mail;;", + uid => "1;uid", + cn => "0;cn" + } + }, + samlIDPMetaDataOptions => { + idp => { + samlIDPMetaDataOptionsEncryptionMode => 'none', + samlIDPMetaDataOptionsSSOBinding => 'post', + samlIDPMetaDataOptionsSLOBinding => 'post', + samlIDPMetaDataOptionsSignSSOMessage => 1, + samlIDPMetaDataOptionsSignSLOMessage => 1, + samlIDPMetaDataOptionsCheckSSOMessageSignature => 1, + samlIDPMetaDataOptionsCheckSLOMessageSignature => 1, + samlIDPMetaDataOptionsForceUTF8 => 1, + } + }, + samlIDPMetaDataExportedAttributes => { + idp => { + "uid" => "0;uid;;", + "cn" => "1;cn;;", + }, + }, + samlIDPMetaDataXML => { + idp => { + samlIDPMetaDataXML => + samlIDPMetaDataXML( 'idp', 'HTTP-POST' ) + } + }, + samlOrganizationDisplayName => "SP", + samlOrganizationName => "SP", + samlOrganizationURL => "http://www.sp.com", + samlServicePublicKeySig => "-----BEGIN PUBLIC KEY----- +MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAu4iToYAEmWQxgZDihGVz +MMql1elPn37domWcvXeU2E4yt2hh5jkQHiFjgodfOlNeRIw5QJVlUBwr+CQvbaKR +FXd7BrOhQIDC0TZPRVB0XHarUtsCuDekN4/2GKSzHsoToKUVPWq9thsuek3xkpsJ +GZNX7bglfEc9+QQpYTqN1rkdN1PVU0epNMokFFGho5pLRqLUV5+I/QXAL49jfTja +Sxsp4UndTI8/+mGSRSq+nrT2zyQRM/vkj5vR9ZVz67HO/+Wk3Mx6RAwkVcMdgMAq +Cq8odmbI0yCRZiTL9ybKWRKqWJoKJ0p5+Q2fPEBPupQZR09Jt/JPuLVSsGfCxi9N +qwIDAQAB +-----END PUBLIC KEY----- +", + samlServicePrivateKeyEnc => "-----BEGIN RSA PRIVATE KEY----- +MIIEogIBAAKCAQEAsRaod2RZ8hMFBl+VhsnhyPM8l/Fj1obnBxfQIaWuHFIFfXiG +e/CYHuZ5QJQLnZxHMJX6LL3Sh+Usog3p0jpijpcg0QgfBSEkfopKTgReYN8DiDIl +l0rV1XdTni7E85Nd1YyNy3ui/ZD+UShWwqu6jLVLR+QUm+/1LIKYb3OCBTvOlY7x +HoP6NSU1+Mr+YzGBUacdO2vnNxe/PQhxIeP1zO0njuqGHkwEpy8rUWRZbbDn31Tm +Kjqlhgtsz5HPhbRaYEExhyepKgBiNz+RyxtYXVhuG8OrWQDoS5gYHSjdw1CTJyix +eJwyoqA9RGYguG5nh9zndi3LWAh7Z0lx+tIz+wIDAQABAoIBAEkZrk8iiJKJ0WAx +IrsyKNbXuWKLTYgnxcRCyzKofrfID+YcU39j8JeI0fKbajQUZ7qhnlTLwtU//+2h +SqzyVu6/add/v7ZRWQw3L7cGzKK2THHzKVtLk/t7N3QroDdf1LMrQvkFP2HmcWS0 +/yN62hXtXHb/qpY4Nn+6JQyUpM5dkv8S/QjDl2NTdyWrXKzWp+4I3QLQ20f4zym+ +ir7RennziMc0HlQNcTjGAUbFULtdqEfSFWhNK7UjiRY+S0XV2xJIbGjnxUQH62fS +w1ZzYsF7sBtoSckvfL4WfGbylhOVnliU05RLU2c67PRjj1Gskoslq1Ow/3DHR7rI +BSBpV8ECgYEA1eHfcog7xQGDkW+cshJtFPFx+9MegB58gFW1rl0rn+tfbexvoSEA +7G7EOTyaU6OAI+8StiRT6AYTgEU7PMM9zDykdGIWj3h0OpHGA86xhEiiaaM2DDRv +/DEKRVlEdmRLLLY28pJVHOMYomia3mb2VKZGg2VfGtSfjg1GXD3I8OECgYEA0/X0 +U55KjZ1JQTPUgFc1WK1NxX9MaH+NcpDaolEUy3Qf3QTbfws+a9K3vwCn7EpQhrfs +I6RVUtwFdCyfl/jzBY9Gykkg03sMgW7Qw2SCCsSt05M+jDtBbNJ7esP6PAeKFvXZ +ZWhdeiAa4kM/P6gtvZXQ4tY4LkSbcd6b0SzzFFsCgYBjMsusFzuBd95JyfZnMNye +5gzzu0teKMWd0CLfqB7foQ81sH9lwCTpg8ZGtbDuMdrwz6ViDR9NceQBjhqXaAZ1 +f3rW79d+22Ms9wdcJLV4oSeSzzv2FSwLT8NvvqNeNc4YArshbnVDXKDEUrfhhueh +Ay2ZK58clpkaDVYg2hckgQKBgG3KuhtSI/YE4fwXN9yez7A2XNGPZem/IGqWo9lu +PGJCrXqT2IqPLW82gB083r6jo+CUhonTxqqb82tA7g4PUvqvQ5Dmnk1NMKYe255K +gp3HUO8GF2EWFIak5Hcr6oOLuDi6cjh3/euTk7ld8fYsTD0mzEOjiQhWW1p5X6bT +LLp/AoGAHvkxA1NM1HJ3myAREbwNXxRy/nhNt4mwMkZ6hPQsW/Eg/3r7j6MJOFrm +U8AJJjDGKe6nlXhhnMoQfJzAc0cYNgjktmJXW27fHGIwt/2QwYNFHPK3s7HTrfH6 +7T4XKT3yGeeeyC2soKJQPlGB+ETdIUnXa7eo9KVWtMTgISyx1Qk= +-----END RSA PRIVATE KEY----- +", + samlServicePrivateKeySig => "-----BEGIN RSA PRIVATE KEY----- +MIIEpAIBAAKCAQEAu4iToYAEmWQxgZDihGVzMMql1elPn37domWcvXeU2E4yt2hh +5jkQHiFjgodfOlNeRIw5QJVlUBwr+CQvbaKRFXd7BrOhQIDC0TZPRVB0XHarUtsC +uDekN4/2GKSzHsoToKUVPWq9thsuek3xkpsJGZNX7bglfEc9+QQpYTqN1rkdN1PV +U0epNMokFFGho5pLRqLUV5+I/QXAL49jfTjaSxsp4UndTI8/+mGSRSq+nrT2zyQR +M/vkj5vR9ZVz67HO/+Wk3Mx6RAwkVcMdgMAqCq8odmbI0yCRZiTL9ybKWRKqWJoK +J0p5+Q2fPEBPupQZR09Jt/JPuLVSsGfCxi9NqwIDAQABAoIBABE0Cjb6g3F+23vD +SsRSeiqzrFrfOEqtXK+VGrfWzHS7V7Ozg6eW/H+HGJXUzUuQcklfg7EFA3JB41a0 +GxW3oA+UElkfCV/dcAG5NbRqGQKScEz9glZb5FikgDLqiPP+HabS/gvQSu71t2HI +3KxSRJdwCNTp26Z28pxxYUpmELTtxd9vlHjffit2Mnt2uc8hOtFHdNavfYwvYH7o +bmlckp7b/JVOy2Yy21O94ZWkE498jXyn71Gr+V1cnJ0RrmYbhQqIvFpFHj98Pf4O +if3c4YmBcZ4t7PUsZUYF3ooWt8k/mdigQC3D6p80OKe+wUTYKcCN0ZdFbiURv9pg +CsqLh+ECgYEA9vA+9QfzvXC7S5yXgTkuRiusPlNye/AiyA/0oGjmjFZ1YNsT7awH +6BjW6WE+rS4elKJu1GaefM/cDguH4ZmJc+eKgi4LDCqYw9rr9les3aneBc8demd3 +O/Ej1Pud1QxXArBNfBYo08vEqwST9P89clJC5090U6bGK2E0rTVu1w0CgYEAwmpG +9LbOFeGCPmwX7Avuk7tQQfRSV6q9TFZo+HxDfKYvxec846l1vBenY2rrgYhtolYJ +YS795LYgbSWRxGfgr1GuIbP5GsjHy6/1o6bS8M++GJ7KHArb0QLAYyQweqqb164A +NvHJkveueWnxzeOlD9j2fcjEnBHwTnqjG+17CZcCgYEAqMXawa4FsNxzpmIISpHC +RsNindZ60Kp3mzUMhPYtXI1a/C+/lxmU7dTMTgXgyIxU6lF6XkEk4TlPtWm8HTzK +7SS7Te4aLt6OOo5N57hUtct7q4y7IQXGQHm3e8HdRdeBQJ0u2Dhs/xSt/hTK6w/n +91Kx11Y+s02w88UkM53pe6ECgYAF/UYwVc1liSv9BlF6WSfBb1zam09KGh1405Sq +SxG9LlV8cFJE5TyWTdg/TNTyiaRvAt2JG+yAdkfrdOPXvCeE3yxRJ30+IP9evA4C +O6p19sBxe7rYQFFjUAVjSIMh1E22yEqDZtGB8JV0chob8K5uHY4CdAPylu7jTA3o +V1maAwKBgQCSGQ3yzsk4EGN2xd/JdgGDzhKyTZTQKMWYqQcsYxRAQ7Paj7u+Wkgv +dBeKcI0HwgpLy5ZohSd2erqieIsW0pEbJWCmos4IcO8tgNfEOa5WXYdyLbj5tFwt +ctu4/BJdijqfpMAtG8pv6k09gYjfASVytXmydGcs/0rVKYCRQA8Tow== +-----END RSA PRIVATE KEY----- +", + samlServicePublicKeyEnc => "-----BEGIN PUBLIC KEY----- +MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAsRaod2RZ8hMFBl+Vhsnh +yPM8l/Fj1obnBxfQIaWuHFIFfXiGe/CYHuZ5QJQLnZxHMJX6LL3Sh+Usog3p0jpi +jpcg0QgfBSEkfopKTgReYN8DiDIll0rV1XdTni7E85Nd1YyNy3ui/ZD+UShWwqu6 +jLVLR+QUm+/1LIKYb3OCBTvOlY7xHoP6NSU1+Mr+YzGBUacdO2vnNxe/PQhxIeP1 +zO0njuqGHkwEpy8rUWRZbbDn31TmKjqlhgtsz5HPhbRaYEExhyepKgBiNz+RyxtY +XVhuG8OrWQDoS5gYHSjdw1CTJyixeJwyoqA9RGYguG5nh9zndi3LWAh7Z0lx+tIz ++wIDAQAB +-----END PUBLIC KEY----- +", + samlSPSSODescriptorAuthnRequestsSigned => 1, + }, + } + ); +} From 6f9e857136a666c5d24ae8485f2e4a5b1cf1a740 Mon Sep 17 00:00:00 2001 From: Xavier Date: Tue, 28 May 2019 21:50:16 +0200 Subject: [PATCH 12/15] Update manifest --- lemonldap-ng-portal/MANIFEST | 10 ++++++---- 1 file changed, 6 insertions(+), 4 deletions(-) diff --git a/lemonldap-ng-portal/MANIFEST b/lemonldap-ng-portal/MANIFEST index 425c8e093..8603e867c 100644 --- a/lemonldap-ng-portal/MANIFEST +++ b/lemonldap-ng-portal/MANIFEST @@ -249,6 +249,7 @@ site/htdocs/static/common/de.png site/htdocs/static/common/en.png site/htdocs/static/common/es.png site/htdocs/static/common/favicon.ico +site/htdocs/static/common/fi.png site/htdocs/static/common/fr.png site/htdocs/static/common/icons/application_cascade.png site/htdocs/static/common/icons/arrow_refresh.png @@ -438,6 +439,7 @@ t/30-Auth-and-issuer-SAML-Redirect.t t/30-Auth-SAML-with-choice.t t/30-CDC.t t/30-SAML-Head-to-Tail-POST.t +t/30-SAML-POST-Logout-when-expired.t t/30-SAML-ReAuth-with-choice.t t/30-SAML-ReAuth.t t/30-SAML-SP-rule.t @@ -503,6 +505,10 @@ t/43-MailPasswordReset-with-captcha.t t/43-MailPasswordReset-with-token.t t/43-MailPasswordReset.t t/50-IssuerGet.t +t/59-Double-cookies-for-a-Single-session.t +t/59-Double-cookies-for-Double-sessions.t +t/59-Double-cookies-Refresh-and-Logout.t +t/59-Secured-cookie-Refresh-and-Logout.t t/60-Status.t t/61-BruteForceProtection.t t/61-ForceAuthn.t @@ -523,10 +529,6 @@ t/67-CheckUser.t t/68-Impersonation-with-doubleCookies.t t/68-Impersonation-with-merge.t t/68-Impersonation.t -t/69-Double-cookies-for-a-Single-session.t -t/69-Double-cookies-for-Double-sessions.t -t/69-Double-cookies-Refresh-and-Logout.t -t/69-HTTPS-cookie-Refresh-and-Logout.t t/70-2F-TOTP-with-History.t t/70-2F-TOTP.t t/70-2F-TOTP_8.t From e4174be166cb476991d0170aaa35727a309f16b1 Mon Sep 17 00:00:00 2001 From: Xavier Date: Tue, 28 May 2019 21:51:11 +0200 Subject: [PATCH 13/15] Increase timeout (#1777) --- lemonldap-ng-portal/t/30-SAML-POST-Logout-when-expired.t | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/lemonldap-ng-portal/t/30-SAML-POST-Logout-when-expired.t b/lemonldap-ng-portal/t/30-SAML-POST-Logout-when-expired.t index 0cf120694..6af4aba01 100644 --- a/lemonldap-ng-portal/t/30-SAML-POST-Logout-when-expired.t +++ b/lemonldap-ng-portal/t/30-SAML-POST-Logout-when-expired.t @@ -13,7 +13,7 @@ BEGIN { my $maintests = 18; my $debug = 'error'; -my $timeout = 1; +my $timeout = 6; my ( $issuer, $sp, $res ); my %handlerOR = ( issuer => [], sp => [] ); From f0842569c232fdb1dd924f5b15cb5f8b8c16f008 Mon Sep 17 00:00:00 2001 From: Xavier Date: Tue, 28 May 2019 21:58:22 +0200 Subject: [PATCH 14/15] Don't erase pdata on 404 errors (#1778) --- lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Main/Run.pm | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Main/Run.pm b/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Main/Run.pm index bfa8a2d63..7474b842a 100644 --- a/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Main/Run.pm +++ b/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Main/Run.pm @@ -154,7 +154,8 @@ sub refresh { delete $data{$_} unless ( /^_/ or /^(?:startTime)$/ ); } $data{_updateTime} = strftime( "%Y%m%d%H%M%S", localtime() ); - $self->logger->debug( "Set session $req->{id} _updateTime with $data{_updateTime}" ); + $self->logger->debug( + "Set session $req->{id} _updateTime with $data{_updateTime}"); $req->steps( [ 'getUser', @{ $self->betweenAuthAndData }, @@ -876,7 +877,7 @@ sub lmError { # Check URL $self->controlUrl($req); - $req->pdata( {} ); + $req->pdata( {} ) unless ( $httpError == 404 ); if ( $req->wantJSON ) { return $self->sendJSONresponse( From db2ee96bc88bc4ac124222b2d6c7cf504f01c771 Mon Sep 17 00:00:00 2001 From: Xavier Date: Tue, 28 May 2019 22:04:45 +0200 Subject: [PATCH 15/15] Update versions (#1777) --- lemonldap-ng-common/lib/Lemonldap/NG/Common/Conf/RESTServer.pm | 2 +- .../lib/Lemonldap/NG/Portal/Issuer/OpenIDConnect.pm | 2 +- lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Issuer/SAML.pm | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/lemonldap-ng-common/lib/Lemonldap/NG/Common/Conf/RESTServer.pm b/lemonldap-ng-common/lib/Lemonldap/NG/Common/Conf/RESTServer.pm index 92b24e436..74b676332 100644 --- a/lemonldap-ng-common/lib/Lemonldap/NG/Common/Conf/RESTServer.pm +++ b/lemonldap-ng-common/lib/Lemonldap/NG/Common/Conf/RESTServer.pm @@ -6,7 +6,7 @@ use Mouse; use Lemonldap::NG::Common::Conf::Constants; use Lemonldap::NG::Common::Conf::ReConstants; -our $VERSION = '2.0.0'; +our $VERSION = '2.0.5'; extends 'Lemonldap::NG::Common::Conf::AccessLib'; diff --git a/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Issuer/OpenIDConnect.pm b/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Issuer/OpenIDConnect.pm index 7c8e3bd45..6c7a4ac93 100644 --- a/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Issuer/OpenIDConnect.pm +++ b/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Issuer/OpenIDConnect.pm @@ -15,7 +15,7 @@ use Lemonldap::NG::Portal::Main::Constants qw( PE_OIDC_SERVICE_NOT_ALLOWED ); -our $VERSION = '2.0.4'; +our $VERSION = '2.0.5'; extends 'Lemonldap::NG::Portal::Main::Issuer', 'Lemonldap::NG::Portal::Lib::OpenIDConnect', diff --git a/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Issuer/SAML.pm b/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Issuer/SAML.pm index 35cbf79fd..dc8b84703 100644 --- a/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Issuer/SAML.pm +++ b/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Issuer/SAML.pm @@ -16,7 +16,7 @@ use Lemonldap::NG::Portal::Main::Constants qw( PE_UNAUTHORIZEDPARTNER ); -our $VERSION = '2.0.3'; +our $VERSION = '2.0.5'; extends 'Lemonldap::NG::Portal::Main::Issuer', 'Lemonldap::NG::Portal::Lib::SAML';