diff --git a/_example/conf/lmConf-1.json b/_example/conf/lmConf-1.json index 7a26ad3e0..ed45a9661 100644 --- a/_example/conf/lmConf-1.json +++ b/_example/conf/lmConf-1.json @@ -96,10 +96,12 @@ "domain" : "__DNSDOMAIN__", "exportedHeaders" : { "test1.__DNSDOMAIN__" : { - "Auth-User" : "$uid" + "Auth-User" : "$uid", + "Auth-Groups" : "$groups" }, "test2.__DNSDOMAIN__" : { - "Auth-User" : "$uid" + "Auth-User" : "$uid", + "Auth-Groups" : "$groups" } }, "exportedVars" : {}, @@ -120,15 +122,15 @@ }, "locationRules" : { "auth.__DNSDOMAIN__" : { - "(?#checkUser)^/checkuser" : "$uid eq \"dwho\"", + "(?#checkUser)^/checkuser" : "inGroup(\"timelords\")", "(?#errors)^/lmerror/" : "accept", "default" : "accept" }, "manager.__DNSDOMAIN__" : { - "(?#Configuration)^/(.*?\\.(fcgi|psgi)/)?(manager\\.html|confs/|$)" : "$uid eq \"dwho\"", - "(?#Notifications)/(.*?\\.(fcgi|psgi)/)?notifications" : "$uid eq \"dwho\" or $uid eq \"rtyler\"", - "(?#Sessions)/(.*?\\.(fcgi|psgi)/)?sessions" : "$uid eq \"dwho\" or $uid eq \"rtyler\"", - "default" : "$uid eq \"dwho\" or $uid eq \"rtyler\"" + "(?#Configuration)^/(.*?\\.(fcgi|psgi)/)?(manager\\.html|confs/|$)" : "inGroup(\"timelords\")", + "(?#Notifications)/(.*?\\.(fcgi|psgi)/)?notifications" : "inGroup(\"timelords\") or $uid eq \"rtyler\"", + "(?#Sessions)/(.*?\\.(fcgi|psgi)/)?sessions" : "inGroup(\"timelords\") or $uid eq \"rtyler\"", + "default" : "inGroup(\"timelords\") or $uid eq \"rtyler\"" }, "test1.__DNSDOMAIN__" : { "^/logout" : "logout_sso", diff --git a/_example/test/index.pl b/_example/test/index.pl index 82b0f6942..06122ff05 100755 --- a/_example/test/index.pl +++ b/_example/test/index.pl @@ -92,6 +92,10 @@ print print "
  • Connected user:
  • Groups:
    • \n"; print "\n"; print diff --git a/lemonldap-ng-handler/lib/Lemonldap/NG/Handler/Main/Reload.pm b/lemonldap-ng-handler/lib/Lemonldap/NG/Handler/Main/Reload.pm index 0d98b1471..9a22316e4 100644 --- a/lemonldap-ng-handler/lib/Lemonldap/NG/Handler/Main/Reload.pm +++ b/lemonldap-ng-handler/lib/Lemonldap/NG/Handler/Main/Reload.pm @@ -595,6 +595,9 @@ sub substitute { $expr =~ s/\$env->\{/\$r->{env}->\{/g; $expr =~ s/\bskip\b/q\{999_SKIP\}/g; + # handle inGroup + $expr =~ s/\binGroup\(([^)]*)\)/listMatch(\$s->{'hGroups'},\1,1),/g; + return $expr; } diff --git a/lemonldap-ng-handler/t/60-Lemonldap-NG-Handler-PSGI.t b/lemonldap-ng-handler/t/60-Lemonldap-NG-Handler-PSGI.t index a2876b193..dc0b8de89 100644 --- a/lemonldap-ng-handler/t/60-Lemonldap-NG-Handler-PSGI.t +++ b/lemonldap-ng-handler/t/60-Lemonldap-NG-Handler-PSGI.t @@ -81,6 +81,23 @@ ok( $res = $client->_get( '/deny', undef, undef, "lemonldap=$sessionId" ), ok( $res->[0] == 403, 'Code is 403' ) or explain( $res->[0], 403 ); count(2); +# Required "timelords" group +ok( + $res = + $client->_get( '/fortimelords', undef, undef, "lemonldap=$sessionId" ), + 'Require Timelords group' +); +ok( $res->[0] == 200, 'Code is 200' ) or explain( $res, 200 ); +count(2); + +# Required "dalek" group +ok( + $res = $client->_get( '/fordaleks', undef, undef, "lemonldap=$sessionId" ), + 'Require Dalek group' +); +ok( $res->[0] == 403, 'Code is 403' ) or explain( $res, 403 ); +count(2); + # Required AuthnLevel = 1 ok( $res = $client->_get( '/AuthWeak', undef, undef, "lemonldap=$sessionId" ), 'Weak Authentified query' ); diff --git a/lemonldap-ng-handler/t/lmConf-1.json b/lemonldap-ng-handler/t/lmConf-1.json index f9f09b75b..9cdbfe7eb 100644 --- a/lemonldap-ng-handler/t/lmConf-1.json +++ b/lemonldap-ng-handler/t/lmConf-1.json @@ -47,6 +47,8 @@ "^/test-uri2": "varIsInUri($ENV{REQUEST_URI}, '/test-uri2/', $uid)", "^/test-restricted_uri": "varIsInUri($ENV{REQUEST_URI}, '/test-restricted_uri/', \"$uid/\", 1)", "^/skipif": "$ENV{REQUEST_URI} =~ /zz/ ? skip : 1", + "^/fortimelords": "inGroup('timelords')", + "^/fordaleks": "inGroup('daleks')", "^/logout": "logout_sso", "^/deny": "deny", "default": "accept" diff --git a/lemonldap-ng-handler/t/test-psgi-lib.pm b/lemonldap-ng-handler/t/test-psgi-lib.pm index 8c2ca132a..f62d62a01 100644 --- a/lemonldap-ng-handler/t/test-psgi-lib.pm +++ b/lemonldap-ng-handler/t/test-psgi-lib.pm @@ -46,17 +46,42 @@ sub init { my $now = time; my $ts = strftime "%Y%m%d%H%M%S", localtime; - print F '{"_updateTime":"' - . $ts - . '","_timezone":"1","_session_kind":"SSO","_passwordDB":"Demo","_startTime":"' - . $ts - . '","ipAddr":"127.0.0.1","UA":"Mozilla/5.0 (X11; VAX4000; rv:43.0) Gecko/20100101 Firefox/143.0 Iceweasel/143.0.1","_user":"dwho","_userDB":"Demo","_lastAuthnUTime":' - . $now - . ',"uid":"dwho","_issuerDB":"Null","_session_id":"f5eec18ebb9bc96352595e2d8ce962e8ecf7af7c9a98cb9a43f9cd181cf4b545","authenticationLevel":1,"_whatToTrace":"dwho","_auth":"Demo","_utime":' - . $now - . ',"_loginHistory":{"successLogin":[{"ipAddr":"127.0.0.1","_utime":' - . $now - . '}]},"cn":"Doctor Who","mail":"dwho@badwolf.org"}'; + print F < [qw(dwho)], + 'earthlings' => [qw(msmith rtyler)], + 'users' => [qw(dwho msmith rtyler)], +); + # INITIALIZATION sub init { @@ -82,6 +88,21 @@ sub setSessionInfo { # Do nothing # @return Lemonldap::NG::Portal constant sub setGroups { + my ( $self, $req ) = @_; + + my $groups = $req->sessionInfo->{groups} || ''; + my $hGroups = $req->sessionInfo->{hGroups} || {}; + for my $grp ( keys %demoGroups ) { + if ( grep { $_ eq $req->user } @{ $demoGroups{$grp} } ) { + $hGroups->{$grp} = {}; + $groups = + ($groups) + ? $groups . $self->conf->{multiValuesSeparator} . $grp + : $grp; + } + } + $req->sessionInfo->{groups} = $groups; + $req->sessionInfo->{hGroups} = $hGroups; PE_OK; } diff --git a/lemonldap-ng-portal/t/68-Impersonation-with-doubleCookies.t b/lemonldap-ng-portal/t/68-Impersonation-with-doubleCookies.t index 9784a3fa9..3839fa00a 100644 --- a/lemonldap-ng-portal/t/68-Impersonation-with-doubleCookies.t +++ b/lemonldap-ng-portal/t/68-Impersonation-with-doubleCookies.t @@ -287,10 +287,6 @@ m%
    %, 'Found trspan="headers"' ) or explain( $res->[2]->[0], 'trspan="headers"' ); -ok( $res->[2]->[0] !~ m%%, - 'trspan="groups_sso" NOT found' ) - or explain( $res->[2]->[0], 'trspan="groups_sso"' ); - ok( $res->[2]->[0] =~ m%%, 'Found trspan="macros"' ) or explain( $res->[2]->[0], 'trspan="macros"' ); ok( $res->[2]->[0] =~ m%%, @@ -309,7 +305,7 @@ ok( $res->[2]->[0] =~ m%_whatToTrace%, ok( $res->[2]->[0] =~ m%testPrefix_groups%, 'Found testPrefix_groups' ) or explain( $res->[2]->[0], 'testPrefix_groups' ); -ok( $res->[2]->[0] =~ m%su; su_test; test_su%, +ok( $res->[2]->[0] =~ m%[^<]*su; su_test; test_su%, 'Found "su; su_test; test_su"' ) or explain( $res->[2]->[0], 'su' ); ok( $res->[2]->[0] =~ m%testPrefix_uid%, @@ -322,7 +318,7 @@ ok( $res->[2]->[0] =~ m%test_impersonation%, or explain( $res->[2]->[0], 'test_impersonation' ); ok( $res->[2]->[0] =~ m%rtyler/dwho%, 'Found rtyler/dwo' ) or explain( $res->[2]->[0], 'Found rtyler/dwo' ); -count(16); +count(15); my %attributes = map /(.+)?<\/td>/g, $res->[2]->[0]; ok( scalar keys %attributes == 35, 'Found 35 attributes' ) diff --git a/lemonldap-ng-portal/t/68-Impersonation.t b/lemonldap-ng-portal/t/68-Impersonation.t index 1d8d206e3..d16e853a6 100644 --- a/lemonldap-ng-portal/t/68-Impersonation.t +++ b/lemonldap-ng-portal/t/68-Impersonation.t @@ -284,10 +284,6 @@ m%
    %, 'Found trspan="headers"' ) or explain( $res->[2]->[0], 'trspan="headers"' ); -ok( $res->[2]->[0] !~ m%%, - 'trspan="groups_sso" NOT found' ) - or explain( $res->[2]->[0], 'trspan="groups_sso"' ); - ok( $res->[2]->[0] =~ m%%, 'Found trspan="macros"' ) or explain( $res->[2]->[0], 'trspan="macros"' ); ok( $res->[2]->[0] =~ m%%, @@ -306,7 +302,7 @@ ok( $res->[2]->[0] =~ m%_whatToTrace%, ok( $res->[2]->[0] =~ m%testPrefix_groups%, 'Found testPrefix_groups' ) or explain( $res->[2]->[0], 'testPrefix_groups' ); -ok( $res->[2]->[0] =~ m%su; su_test; test_su%, +ok( $res->[2]->[0] =~ m%[^<]*su; su_test; test_su%, 'Found "su; su_test; test_su"' ) or explain( $res->[2]->[0], 'su' ); ok( $res->[2]->[0] =~ m%testPrefix_uid%, @@ -324,7 +320,7 @@ ok( $res->[2]->[0] =~ m%_session_id%, 'Found _session_id' ) ok( $res->[2]->[0] =~ m%_session_kind%, 'Found _session_id' ) or explain( $res->[2]->[0], 'Found _session_kind' ); -count(18); +count(17); my %attributes = map /(.+)?<\/td>/g, $res->[2]->[0]; ok( keys %attributes == 35, 'Found 35 attributes' )