Fix CrowdSec plugin (#2817)

debian/control

@@ -222,6 +222,7 @@ Architecture: all
 Depends: ${misc:Depends},
          ${perl:Depends},
          debconf,
+         perl-doc,
          libapache-session-perl,
          libcache-cache-perl,
          libconfig-inifiles-perl,
@@ -233,6 +234,7 @@ Depends: ${misc:Depends},
          libjson-perl,
          libjson-xs-perl,
          libmouse-perl,
+         libclass-xsaccessor-perl,
          libplack-perl,
          liburi-perl,
          libwww-perl

doc/sources/admin/configvhost.rst

@@ -529,21 +529,22 @@ Some options are available:
    Provide a comma separated parameters list with custom function path and args.
    Args can be vars or session attributes, macros, ...
    By example: My::accessToTrace, Doctor, Who, _whatToTrace
+-  **Required authentication level**: this option avoids to reject user with
+   a rule based on ``$_authenticationLevel``. When user has not got the
+   required level, he is redirected to an upgrade page in the portal.
+   This default level is required for ALL locations relative to this virtual host.
+   It can be overrided for each locations.
 -  **Type**: handler type (:ref:`Main<presentation-kinematics>`,
    :doc:`AuthBasic<authbasichandler>`,
    :doc:`ServiceToken<servertoserver>`,
    :doc:`DevOps<devopshandler>`,
    :doc:`DevOpsST<devopssthandler>`,
    :doc:`OAuth2<oauth2handler>`,...)
--  **Required authentication level**: this option avoids to reject user with
-   a rule based on ``$_authenticationLevel``. When user has not got the
-   required level, he is redirected to an upgrade page in the portal.
-   This default level is required for ALL locations relative to this virtual host.
-   It can be overrided for each locations.
 -  **DevOps rules file URL**: option to define URL to retreive DevOps rules file.
    This option can be overridden with ``uwsgi_param/fastcgi_param RULES_URL`` parameter.
 -  **ServiceToken timeout**: by default, ServiceToken is just valid during 30
    seconds. This TTL can be customized for each virtual host.
+-  **Comment**: Can be used for setting comment.
 
 
 .. attention::

lemonldap-ng-common/lib/Lemonldap/NG/Common/Conf/ReConstants.pm

@@ -30,7 +30,7 @@ our $oidcOPMetaDataNodeKeys = 'oidcOPMetaData(?:Options(?:C(?:lient(?:Secret|ID)
 our $oidcRPMetaDataNodeKeys = 'oidcRPMetaData(?:Options(?:A(?:llow(?:(?:ClientCredentials|Password)Grant|Offline)|ccessToken(?:Expiration|SignAlg|Claims|JWT)|uth(?:orizationCodeExpiration|nLevel)|dditionalAudiences)|I(?:DToken(?:ForceClaims|Expiration|SignAlg)|con)|Logout(?:SessionRequired|BypassConfirm|Type|Url)|R(?:e(?:directUris|freshToken|quirePKCE)|ule)|P(?:ostLogoutRedirectUris|ublic)|UserI(?:nfoSignAlg|DAttr)|OfflineSessionExpiration|Client(?:Secret|ID)|BypassConsent|DisplayName|ExtraClaims)|(?:ExportedVar|ScopeRule|Macro)s)';
 our $samlIDPMetaDataNodeKeys = 'samlIDPMetaData(?:Options(?:(?:Check(?:S[LS]OMessageSignatur|Audienc|Tim)|EncryptionMod|UserAttribut|DisplayNam)e|S(?:ign(?:S[LS]OMessage|atureMethod)|toreSAMLToken|[LS]OBinding|ortNumber)|Re(?:questedAuthnContext|solutionRule|layStateURL)|A(?:daptSessionUtime|llowLoginFromIDP)|Force(?:Authn|UTF8)|I(?:sPassive|con)|NameIDFormat)|ExportedAttributes|XML)';
 our $samlSPMetaDataNodeKeys = 'samlSPMetaData(?:Options(?:S(?:ign(?:S[LS]OMessage|atureMethod)|essionNotOnOrAfterTimeout)|N(?:ameID(?:SessionKey|Format)|otOnOrAfterTimeout)|(?:CheckS[LS]OMessageSignatur|OneTimeUs|Rul)e|En(?:ableIDPInitiatedURL|cryptionMode)|AuthnLevel|ForceUTF8)|(?:ExportedAttribute|Macro)s|XML)';
-our $virtualHostKeys = '(?:vhost(?:A(?:ccessToTrace|uthnLevel|liases)|(?:Maintenanc|Typ)e|ServiceTokenTTL|DevOpsRulesUrl|Https|Port)|(?:exportedHeader|locationRule)s|post)';
+our $virtualHostKeys = '(?:vhost(?:A(?:ccessToTrace|uthnLevel|liases)|(?:Maintenanc|Typ)e|(?:Commen|Por)t|ServiceTokenTTL|DevOpsRulesUrl|Https)|(?:exportedHeader|locationRule)s|post)';
 
 our $authParameters = {
   adParams => [qw(ADPwdMaxAge ADPwdExpireWarning)],

lemonldap-ng-manager/lib/Lemonldap/NG/Manager/Attributes.pm

@@ -4465,6 +4465,10 @@ qr/^(?:(?:(?:(?:(?:(?:[a-zA-Z0-9][-a-zA-Z0-9]*)?[a-zA-Z0-9])[.])*(?:[a-zA-Z][-a-
         'vhostAuthnLevel' => {
             'type' => 'int'
         },
+        'vhostComment' => {
+            'default' => '',
+            'type'    => 'longtext'
+        },
         'vhostDevOpsRulesUrl' => {
             'type' => 'url'
         },

lemonldap-ng-manager/lib/Lemonldap/NG/Manager/Build/Attributes.pm

@@ -2502,6 +2502,10 @@ sub attributes {
             type    => 'int',
             default => -1,
         },
+        vhostComment => {
+            type    => 'longtext',
+            default => '',
+        },
         vhostAccessToTrace => { type => 'text', default => '' },
         vhostAliases       => { type => 'text', default => '' },
         vhostType          => {

lemonldap-ng-manager/lib/Lemonldap/NG/Manager/Build/CTrees.pm

@@ -27,11 +27,11 @@ sub cTrees {
                 help  => 'configvhost.html#options',
                 form  => 'simpleInputContainer',
                 nodes => [
-                    'vhostPort',          'vhostHttps',
-                    'vhostMaintenance',   'vhostAliases',
-                    'vhostAccessToTrace', 'vhostType',
-                    'vhostAuthnLevel',    'vhostDevOpsRulesUrl',
-                    'vhostServiceTokenTTL'
+                    'vhostPort',            'vhostHttps',
+                    'vhostMaintenance',     'vhostAliases',
+                    'vhostAccessToTrace',   'vhostAuthnLevel',
+                    'vhostType',            'vhostDevOpsRulesUrl',
+                    'vhostServiceTokenTTL', 'vhostComment'
                 ],
             },
         ],
@@ -197,8 +197,7 @@ sub cTrees {
             {
                 title => 'oidcRPMetaDataOptions',
                 help  => 'idpopenidconnect.html#options',
-                nodes => [ 
-                {
+                nodes => [ {
                         title => 'oidcRPMetaDataOptionsBasic',
                         form  => 'simpleInputContainer',
                         nodes => [

lemonldap-ng-manager/site/htdocs/static/js/conftree.js

@@ -1439,6 +1439,12 @@ function templates(tpl,key) {
             "id" : tpl+"s/"+key+"/"+"vhostAccessToTrace",
             "title" : "vhostAccessToTrace"
          },
+         {
+            "get" : tpl+"s/"+key+"/"+"vhostAuthnLevel",
+            "id" : tpl+"s/"+key+"/"+"vhostAuthnLevel",
+            "title" : "vhostAuthnLevel",
+            "type" : "int"
+         },
          {
             "default" : "Main",
             "get" : tpl+"s/"+key+"/"+"vhostType",
@@ -1484,12 +1490,6 @@ function templates(tpl,key) {
             "title" : "vhostType",
             "type" : "select"
          },
-         {
-            "get" : tpl+"s/"+key+"/"+"vhostAuthnLevel",
-            "id" : tpl+"s/"+key+"/"+"vhostAuthnLevel",
-            "title" : "vhostAuthnLevel",
-            "type" : "int"
-         },
          {
             "get" : tpl+"s/"+key+"/"+"vhostDevOpsRulesUrl",
             "id" : tpl+"s/"+key+"/"+"vhostDevOpsRulesUrl",
@@ -1501,6 +1501,13 @@ function templates(tpl,key) {
             "id" : tpl+"s/"+key+"/"+"vhostServiceTokenTTL",
             "title" : "vhostServiceTokenTTL",
             "type" : "int"
+         },
+         {
+            "default" : "",
+            "get" : tpl+"s/"+key+"/"+"vhostComment",
+            "id" : tpl+"s/"+key+"/"+"vhostComment",
+            "title" : "vhostComment",
+            "type" : "longtext"
          }
       ],
       "help" : "configvhost.html#options",

lemonldap-ng-manager/site/htdocs/static/languages/ar.json

@@ -1214,6 +1214,7 @@
 "vhostAccessToTrace":"Access to trace",
 "vhostAliases":"اسماء مستعارة",
 "vhostAuthnLevel":"مستوى إثبات الهوية  واجب",
+"vhostComment":"تعليق",
 "vhostDevOpsRulesUrl":"DevOps rules file URL",
 "vhostHttps":"إتش تي تي بي س",
 "vhostMaintenance":"وضع الصيانة",

lemonldap-ng-manager/site/htdocs/static/languages/en.json

@@ -1214,6 +1214,7 @@
 "vhostAccessToTrace":"Access to trace",
 "vhostAliases":"Aliases",
 "vhostAuthnLevel":"Required authentication level",
+"vhostComment": "Comment",
 "vhostDevOpsRulesUrl":"DevOps rules file URL",
 "vhostHttps":"HTTPS",
 "vhostMaintenance":"Maintenance mode",

lemonldap-ng-manager/site/htdocs/static/languages/es.json

@@ -1214,6 +1214,7 @@
 "vhostAccessToTrace":"Access to trace",
 "vhostAliases":"Aliases",
 "vhostAuthnLevel":"Nivel de autentificación requerido",
+"vhostComment":"Comentario",
 "vhostDevOpsRulesUrl":"DevOps rules file URL",
 "vhostHttps":"HTTPS",
 "vhostMaintenance":"Modo de mantenimiento",

lemonldap-ng-manager/site/htdocs/static/languages/fr.json

@@ -1214,6 +1214,7 @@
 "vhostAccessToTrace":"Accès à tracer",
 "vhostAliases":"Alias",
 "vhostAuthnLevel":"Niveau d'authentification requis",
+"vhostComment": "Commentaire",
 "vhostDevOpsRulesUrl":"URL du fichier de règles DevOps",
 "vhostHttps":"HTTPS",
 "vhostMaintenance":"Mode maintenance",

lemonldap-ng-manager/site/htdocs/static/languages/he.json

@@ -1214,6 +1214,7 @@
 "vhostAccessToTrace":"Access to trace",
 "vhostAliases":"כינויים",
 "vhostAuthnLevel":"דרגת אימות נדרשת",
+"vhostComment":"הערה",
 "vhostDevOpsRulesUrl":"DevOps rules file URL",
 "vhostHttps":"HTTPS",
 "vhostMaintenance":"מצב תחזוקה",

lemonldap-ng-manager/site/htdocs/static/languages/it.json

@@ -1214,6 +1214,7 @@
 "vhostAccessToTrace":"Access to trace",
 "vhostAliases":"Alias",
 "vhostAuthnLevel":"Livello di autenticazione richiesto",
+"vhostComment":"Commento",
 "vhostDevOpsRulesUrl":"DevOps rules file URL",
 "vhostHttps":"HTTPS",
 "vhostMaintenance":"Modalità di manutenzione",

lemonldap-ng-manager/site/htdocs/static/languages/pl.json

@@ -1214,6 +1214,7 @@
 "vhostAccessToTrace":"Dostęp do śledzenia",
 "vhostAliases":"Aliasy",
 "vhostAuthnLevel":"Wymagany poziom uwierzytelnienia",
+"vhostComment":"Komentarz",
 "vhostDevOpsRulesUrl":"Adres URL pliku reguł DevOps",
 "vhostHttps":"HTTPS",
 "vhostMaintenance":"Tryb konserwacji",

lemonldap-ng-manager/site/htdocs/static/languages/tr.json

@@ -1214,6 +1214,7 @@
 "vhostAccessToTrace":"İzlemeye erişim",
 "vhostAliases":"Takma adlar",
 "vhostAuthnLevel":"Gereken doğrulama seviyesi",
+"vhostComment":"Yorum",
 "vhostDevOpsRulesUrl":"DevOps kuralları dosya URL'si",
 "vhostHttps":"HTTPS",
 "vhostMaintenance":"Bakım modu",

lemonldap-ng-manager/site/htdocs/static/languages/vi.json

@@ -1214,6 +1214,7 @@
 "vhostAccessToTrace":"Access to trace",
 "vhostAliases":"Bí danh",
 "vhostAuthnLevel":"Mức xác thực bắt buộc",
+"vhostComment":"Bình luận",
 "vhostDevOpsRulesUrl":"DevOps rules file URL",
 "vhostHttps":"HTTPS",
 "vhostMaintenance":"Chế độ bảo trì",

lemonldap-ng-manager/site/htdocs/static/languages/zh.json

@@ -1214,6 +1214,7 @@
 "vhostAccessToTrace":"存取追蹤",
 "vhostAliases":"別名",
 "vhostAuthnLevel":"需要的驗證等級",
+"vhostComment":"注释",
 "vhostDevOpsRulesUrl":"DevOps rules file URL",
 "vhostHttps":"HTTPS",
 "vhostMaintenance":"維護模式",

lemonldap-ng-manager/site/htdocs/static/languages/zh_TW.json

@@ -1214,6 +1214,7 @@
 "vhostAccessToTrace":"存取追蹤",
 "vhostAliases":"別名",
 "vhostAuthnLevel":"需要的驗證等級",
+"vhostComment":"註解",
 "vhostDevOpsRulesUrl":"DevOps rules file URL",
 "vhostHttps":"HTTPS",
 "vhostMaintenance":"維護模式",

lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Plugins/CrowdSec.pm

@@ -33,7 +33,9 @@ has crowdsecUrl => ( is => 'rw' );
 sub init {
     my ($self) = @_;
     if ( $self->conf->{crowdsecUrl} ) {
-        $self->crowdsecUrl( $self->conf->{crowdsecUrl} =~ s#/+$## );
+        my $tmp = $self->conf->{crowdsecUrl};
+        $tmp =~ s#/+$##;
+        $self->crowdsecUrl($tmp);
     }
     else {
         $self->logger->warn(
@@ -59,7 +61,7 @@ sub check {
         return PE_ERROR;
     }
     my $content = $resp->decoded_content;
-    unless ($content) {
+    if ( !$content or $content eq 'null' ) {
         $self->userLogger->info("$ip isn't known by CrowsSec");
         return PE_OK;
     }
@@ -86,6 +88,7 @@ sub check {
                     return PE_SESSIONNOTGRANTED;
                 }
                 else {
+                    $self->userLogger->error("$ip is banned by CrowdSec");
                     $req->env->{CROWDSEC_REJECT} = 1;
                     return PE_OK;
                 }