Support Traefik forwardAuth

Crypt::URandom failing is now fatal (#1808)

See merge request lemonldap-ng/lemonldap-ng!233

.gitlab-ci.yml

@@ -30,6 +30,21 @@ stages:
 before_script:
   - env | grep ^CI_
 
+autopkgtest:
+  stage: build
+  image: buildpkg/debian:buster
+  script:
+    - cd $CI_PROJECT_DIR
+    - env DEBIAN_FRONTEND=noninteractive apt-get -q -y update
+    - env DEBIAN_FRONTEND=noninteractive apt-get -q -y install --no-install-recommends aspcud apt-cudf pkg-perl-autopkgtest
+    - env DEBIAN_FRONTEND=noninteractive apt-get -q -y --solver aspcud -o APT::Solver::Strict-Pinning=0 -o Debug::pkgProblemResolver=yes build-dep .
+    - make
+    - make -j8 autopkgtest
+
+build_stretch:
+  extends: .debian_build_job
+  image: buildpkg/debian:stretch
+
 build_buster:
   extends: .debian_build_job
   image: buildpkg/debian:buster

.gitlab/issue_templates/Bug.md

@@ -1,8 +1,10 @@
-### Concerned version
+### Environment
 
-Version: %X.X.X
+LemonLDAP::NG version: (version number)
 
-Platform: (Nginx/Apache/Node.js)
+Operating system: (distribution and version)
+
+Web server: (Nginx/Apache/Node.js/...)
 
 ### Summary
 
@@ -11,7 +13,7 @@ Summarize the bug encountered concisely
 ### Logs
 
 ```
-Set here the logs using debug mode if possible. Attach it as file if it's too big
+Include the logs using logLevel = debug if possible. Attach it as file if it's too big
 ```
 
 ### Backends used

COPYING

@@ -113,6 +113,18 @@ License: CC-3
 Comment: This work, "sfa_manager.png", is a derivative of
  "Noun project 1162.svg" by Christopher T. Howlett, under CC-BY-3.0.
 
+ Files: lemonldap-ng-portal/site/htdocs/static/common/icons/star0.png
+Copyright: Christophe Maudoux <chrmdx@gmail.com>
+License: CC-3
+Comment: This work, "star0.png", is a derivative of
+ "Silver star with red border.png" by ANGELUS, under CC-BYSA-3.0.
+
+ Files: lemonldap-ng-portal/site/htdocs/static/common/icons/star1.png
+Copyright: Christophe Maudoux <chrmdx@gmail.com>
+License: CC-3
+Comment: This work, "star1.png", is a derivative of
+ "Golden star with red border.png" by ANGELUS, under CC-BYSA-3.0.
+
 Files: lemonldap-ng-portal/site/htdocs/static/common/icons/notifsExplorer.png
 Copyright: Various artists
 License: CC-BY-NC-ND-3.0 or GFDL-1.3

INSTALL

@@ -31,12 +31,12 @@ package for Debian works fine).
 
 Perl modules:
   Apache::Session, Net::LDAP, MIME::Base64, CGI, LWP::UserAgent, Cache::Cache,
-  DBI, XML::Simple, SOAP::Lite, HTML::Template, XML::LibXML, XML::LibXSLT
+  DBI, SOAP::Lite, HTML::Template, XML::LibXML, XML::LibXSLT
 
 With Debian:
   apt-get install libapache-session-perl libnet-ldap-perl libcache-cache-perl \
                   libdbi-perl perl-modules libwww-perl libcache-cache-perl \
-                  libxml-simple-perl libhtml-template-perl libsoap-lite-perl \
+                  libhtml-template-perl libsoap-lite-perl \
                   libxml-libxml-perl libxml-libxslt-perl
 
 1.2 - BUILDING
@@ -129,17 +129,17 @@ to access to configuration.
 
 Manager:
 --------
-Apache::Session, MIME::Base64, CGI, LWP::UserAgent, DBI, XML::Simple,
+Apache::Session, MIME::Base64, CGI, LWP::UserAgent, DBI, 
 SOAP::Lite, XML::LibXML, XML::LibXSLT, Lemonldap::NG::Common
 
 With Debian:
-  apt-get install perl-modules libxml-simple-perl libdbi-perl libwww-perl
+  apt-get install perl-modules libdbi-perl libwww-perl
   # If you want to use SOAP
   apt-get install libsoap-lite-perl
 
 Portal:
 -------
-Apache::Session, Net::LDAP, MIME::Base64, CGI, Cache::Cache, DBI, XML::Simple,
+Apache::Session, Net::LDAP, MIME::Base64, CGI, Cache::Cache, DBI,
 SOAP::Lite, HTML::Template, XML::LibXML, Lemonldap::NG::Common
 
 With Debian:
@@ -148,7 +148,7 @@ With Debian:
 Handler:
 --------
 Apache::Session, MIME::Base64, CGI, LWP::UserAgent, Cache::Cache, DBI,
-XML::Simple, SOAP::Lite, Lemonldap::NG::Common
+SOAP::Lite, Lemonldap::NG::Common
 
 With Debian:
   apt-get install libapache-session-perl libwww-perl libcache-cache-perl

README.md

@@ -13,6 +13,11 @@ the requested URL and the rule calculates if the user is authorized.
 
 You can find documentation on [our website](https://lemonldap-ng.org/)
 
+# Contribute
+
+LemonLDAP::NG is hosted on [OW2](https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng).
+Please use this platform to post issues, merge requests,...
+
 # Upgrade
 
 See https://lemonldap-ng.org/documentation/latest/upgrade
@@ -29,8 +34,8 @@ but WITHOUT ANY WARRANTY; without even the implied warranty of
 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
 GNU General Public License for more details.
 
-You should have received a copy of the GNU General Public License
+You should have received a [copy of the GNU General Public License](LICENSE)
 along with this program.  If not, see http://www.gnu.org/licenses/.
 
-Copyright: see COPYING
+Copyright: see [COPYING](COPYING)
 

_example/conf/lmConf-1.json

@@ -87,7 +87,7 @@
    "cfgAuthor" : "The LemonLDAP::NG team",
    "cfgDate" : "1627287638",
    "cfgNum" : 1,
-   "cfgVersion" : "2.0.13",
+   "cfgVersion" : "2.1.0",
    "cookieName" : "lemonldap",
    "demoExportedVars" : {
       "cn" : "cn",

debian/control

@@ -19,6 +19,7 @@ Build-Depends-Indep: gsfonts <!nocheck>,
                      libcrypt-openssl-x509-perl <!nocheck>,
                      libcrypt-urandom-perl <!nocheck>,
                      libcrypt-rijndael-perl <!nocheck>,
+                     libdatetime-format-rfc3339-perl <!nocheck>,
                      libdbd-sqlite3-perl <!nocheck>,
                      libdbi-perl <!nocheck>,
                      libdigest-hmac-perl <!nocheck>,
@@ -228,8 +229,7 @@ Recommends: libapache-session-browseable-perl,
 Suggests: libconvert-base32-perl,
           libnet-ldap-perl,
           libsoap-lite-perl,
-          libxml-libxml-perl,
-          libxml-simple-perl
+          libxml-libxml-perl
 Conflicts: liblemonldap-ng-cli-perl
 Description: Lemonldap::NG common files
  Lemonldap::NG is a complete Web-SSO system that can run with reverse-proxies
@@ -257,8 +257,7 @@ Depends: ${misc:Depends},
          lemonldap-ng-fastcgi-server (= ${binary:Version}) | lemonldap-ng-uwsgi-app (= ${binary:Version}) | apache2 | httpd-cgi
 Recommends: lemonldap-ng-doc (= ${binary:Version}),
             libxml-libxml-perl,
-            libxml-libxslt-perl,
-            libxml-simple-perl
+            libxml-libxslt-perl
 Suggests: libclone-perl,
           libregexp-assemble-perl
 Pre-Depends: debconf
@@ -298,6 +297,7 @@ Recommends: gsfonts,
             libunicode-string-perl
 Suggests: gpg,
           libcrypt-u2f-server-perl,
+          libdatetime-format-rfc3339-perl,
           libdbi-perl,
           libglib-perl,
           libgssapi-perl,

debian/lemonldap-ng-handler.links

@@ -2,3 +2,5 @@
 /etc/lemonldap-ng/handler-nginx.conf /etc/nginx/sites-available/handler-nginx.conf
 /etc/lemonldap-ng/test-apache2.conf /etc/apache2/sites-available/test-apache2.conf
 /etc/lemonldap-ng/test-nginx.conf /etc/nginx/sites-available/test-nginx.conf
+/etc/lemonldap-ng/nginx-lmlog.conf /etc/nginx/snippets/llng-lmlog.conf
+/etc/lemonldap-ng/nginx-lua-headers.conf /etc/nginx/snippets/llng-lua-headers.conf

doc/sources/admin/authcombination.rst

@@ -269,16 +269,3 @@ SSL authentication
 
 To chain SSL, you have to set "SSLRequire optional" in Apache
 configuration, else users will be authenticated by SSL only.
-
-Migrating from Multi
---------------------
-
-Old :doc:`Multiple backends stack<authmulti>`
-implemented only \`if\` and \`or\` keywords. Examples:
-
-================================================================ =====================================================
-Multi expressions                                                Combination
-================================================================ =====================================================
-``LDAP;DBI``                                                     ``[myLDAP] or [myDBI]``
-``DBI $ENV{REMOTE_ADDR}=~/^192/;LDAP $ENV{REMOTE_ADDR}!~/^192/`` ``if $env->{REMOTE_ADDR} then [myDBI] else [myLDAP]``
-================================================================ =====================================================

doc/sources/admin/authldap.rst

@@ -121,8 +121,6 @@ Filters
     In LDAP filters, $user is replaced by user login, and $mail by
     user email.
 
--  **Default filter**: default LDAP filter for searches, should not be
-   modified.
 -  **Authentication filter**: Filter to find user from its login
    (default: ``(&(uid=$user)(objectClass=inetOrgPerson))``)
 -  **Mail filter**: Filter to find user from its mail (default:
@@ -182,7 +180,7 @@ Groups
     If your LDAP countains over a thousand groups, you
     should avoid using group processing, check out
     :ref:`the performance page<performances-ldap-performances>` for
-    alternatives 
+    alternatives
 
 Password
 ~~~~~~~~

doc/sources/admin/authlinkedin.rst

@@ -30,8 +30,6 @@ Then, go in ``LinkedIn parameters``:
 -  **Authentication level**: authentication level for this module.
 -  **Client ID**: the application ID you get
 -  **Client secret**: the corresponding secret
--  **Searched fields** (deprecated): Fields requested on People endpoint
-   in v1, no more used in v2 API
 -  **Field containing user identifier**: Field that will be used as main
    user identifier in LL::NG, usually ``id`` (LinkedIn numeric
    identifer) or ``emailAddress``.

doc/sources/admin/authproxy.rst

@@ -13,6 +13,11 @@ Presentation
 LL::NG is able to send (through REST or SOAP) authentication
 credentials to another LL::NG portal, like a proxy.
 
+
+.. warning::
+
+    SOAP support may be removed in LLNG 3.0
+
 The difference with :doc:`remote authentication<authremote>` is that the
 client will never be redirect to the main LL::NG portal. This
 configuration is usable if you want to expose your internal SSO portal

doc/sources/admin/cli_examples.rst

@@ -15,8 +15,6 @@ This page shows some examples of LL::NG Command Line Interface. See
 Save/restore configuration
 --------------------------
 
-This part requires LLNG 2.0.5 at least.
-
 Save:
 
 .. code-block:: sh
@@ -31,7 +29,7 @@ Restore:
    # Or
    /usr/share/lemonldap-ng/bin/lemonldap-ng-cli restore - <config.json
 
-Rollback (restore previous configuration, *since 2.0.8*):
+Rollback (restore previous configuration):
 
 .. code-block:: shell
 
@@ -314,15 +312,6 @@ these commands;
 
    openssl req -new -newkey rsa:4096 -keyout saml.key -nodes  -out saml.pem -x509 -days 3650
 
-Fix the certificate key format (you can skip this step if you are
-running >= 2.0.6)
-
-::
-
-   sed -e "s/END PRIVATE/END RSA PRIVATE/" \
-       -e "s/BEGIN PRIVATE/BEGIN RSA PRIVATE/" \
-       -i saml.key
-
 Import them in configuration and activate the SAML issuer
 
 ::

doc/sources/admin/conf.py

@@ -58,9 +58,9 @@ author = u'LemonLDAP::NG'
 # built documents.
 #
 # The short X.Y version.
-version = u'2.0'
+version = u'3.0'
 # The full version, including alpha/beta/rc tags.
-release = u'2.0'
+release = u'3.0'
 
 # The language for content autogenerated by Sphinx. Refer to documentation
 # for a list of supported languages.

doc/sources/admin/configlocation.rst

@@ -132,7 +132,7 @@ configuration.
 Manager API
 -----------
 
-Since 2.0.8, a Manager API is available for:
+Manager API is available for:
 
 -  Second factors management for users
 -  OpenID Connect RP management

doc/sources/admin/contribute.rst

@@ -95,16 +95,17 @@ As *user*, create directory in directory:
    git checkout master # go to master branch
    git remote add upstream https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng.git # to connect to remote branch
    git fetch upstream  # import branch
-   git checkout v2.0 # to change branch
+   git checkout v2.1 # to change branch
    git fetch upstream
 
 Import version branch on linux station:
 
 ::
 
-   git checkout v2.0
-   git fetch upstream
-   git rebase upstream/v2.0 # to align to parent project remote branch
+   git checkout v2.1
+   git fetch upstream --all
+   git rebase upstream/v2.1 # to align to parent project remote branch
+   git push # to push to working remote branch
 
 On gitlab, create working branch, one per thematic on linux station:
 
@@ -115,9 +116,9 @@ On gitlab, create working branch, one per thematic on linux station:
    git status
    git commit -am "explanations (#number gitlab ticket)"
    git commit --amend file(s) # to modify a commit
-   git rebase v2.0 # align local working branch to local 2.0
+   git rebase v2.1 # align local working branch to local 2.1
    git checkout -- file(s) # revert
-   git push # to send on remote working branch ! Only after doing some commits !
+   git push # to send on remote working branch
 
 On gitlab, submit merge request when tests are corrects.
 
@@ -126,7 +127,7 @@ Install dependencies
 
 ::
 
-   aptitude install libapache-session-perl libcache-cache-perl libclone-perl libconfig-inifiles-perl libconvert-pem-perl libcrypt-openssl-bignum-perl libcrypt-openssl-rsa-perl libcrypt-openssl-x509-perl libcrypt-rijndael-perl libdbi-perl libdigest-hmac-perl libemail-sender-perl libgd-securityimage-perl libhtml-template-perl libio-string-perl libjson-perl libmime-tools-perl libmouse-perl libnet-ldap-perl libplack-perl libregexp-assemble-perl libregexp-common-perl libsoap-lite-perl libstring-random-perl libtext-unidecode-perl libunicode-string-perl liburi-perl libwww-perl libxml-simple-perl libxml-libxslt-perl libcrypt-urandom-perl libconvert-base32-perl cpanminus
+   aptitude install libapache-session-perl libcache-cache-perl libclone-perl libconfig-inifiles-perl libconvert-pem-perl libcrypt-openssl-bignum-perl libcrypt-openssl-rsa-perl libcrypt-openssl-x509-perl libcrypt-rijndael-perl libdbi-perl libdigest-hmac-perl libemail-sender-perl libgd-securityimage-perl libhtml-template-perl libio-string-perl libjson-perl libmime-tools-perl libmouse-perl libnet-ldap-perl libplack-perl libregexp-assemble-perl libregexp-common-perl libsoap-lite-perl libstring-random-perl libtext-unidecode-perl libunicode-string-perl liburi-perl libwww-perl libxml-libxslt-perl libcrypt-urandom-perl libconvert-base32-perl cpanminus
    aptitude install apache2 libapache2-mod-fcgid libapache2-mod-perl2  # install Apache
    aptitude install nginx nginx-extras  # install Nginx
    cpanm perltidy@20181120

doc/sources/admin/error.rst

@@ -23,7 +23,7 @@ from a version older than 1.0
    Can't locate /usr/share/lemonldap-ng/configStorage.pl
 
 → When you upgrade from Debian Lenny with customized index.pl files, you
-must upgrade them. 
+must upgrade them.
 
 Lemonldap::NG::Handler
 ----------------------

doc/sources/admin/exportedvars.rst

@@ -53,36 +53,13 @@ portal:
    attributes: it can contain boolean results or any string
 -  macros can also be used to import environment variables *(these
    variables are in CGI format)*. Example: ``$ENV{HTTP_COOKIE}``
--  groups are stored as a string with values separated by ''; ''
-   (default values separator) in the special attribute ``groups``: it
-   contains the names of groups whose rules were returned true for the
-   current user. For example:
-
-.. code-block:: perl
-
-   $groups = group3; admin
-
--  You can also get groups in ``$hGroups`` which is a Hash Reference of
-   this form:
-
-.. code-block:: perl
-
-   $hGroups = {
-             'group3' => {
-                           'description' => [
-                                              'Service 3',
-                                              'Service 3 TEST'
-                                            ],
-                           'cn' => [
-                                     'group3'
-                                   ],
-                           'name' => 'group3'
-                         },
-             'admin' => {
-                          'name' => 'admin'
-                        }
-           }
-
+-  You can check for group membership of a particular user with the
+   ``inGroup`` function, see examples below.
+-  If you need more advanced processing of the group list (filtering,
+   rewriting) you may use ``$groups``, a flat list of all the user's
+   groups, separated by ''; '' (default values separator). Or the
+   ``$hGroups`` variable which is a perl hash whose keys are the group
+   names.
 
 Example for macros:
 
@@ -107,6 +84,42 @@ Defining a group for admins
 
 Using groups in a rule
 
+.. code-block:: perl
+
+   ^/admin -> inGroup('admin')
+
+   # Advanced usage
+   ^/admin -> defined $hGroups->{'admin'}
+   ^/admin -> $groups =~ /\badmin\b/
+
+
+.. note::
+
+    Groups are computed after macros, so a group rule may involve a
+    macro value.
+
+.. warning::
+
+    Macros and groups are computed in alphanumeric order,
+    that is, in the order they are displayed in the manager. For example,
+    macro "macro1" will be computed before macro "macro2": so, expression of
+    macro2 may involve value of macro1. As same for groups: a group rule may
+    involve another, previously computed group.
+
+   # Use a boolean macro in a rule
+   ^/admin -> $isAdmin
+   # Use a string macro in a HTTP header
+   Display-Name -> $displayName
+
+Defining a group for admins
+
+.. code-block:: perl
+
+   # group
+   admin -> $uid eq 'foo' or $uid eq 'bar'
+
+Using groups in a rule
+
 .. code-block:: perl
 
    ^/admin -> $groups =~ /\badmin\b/

doc/sources/admin/extendedfunctions.rst

@@ -321,8 +321,6 @@ Example::
 listMatch
 ~~~~~~~~~
 
-.. versionadded:: 2.0.7
-
 This function lets you test if a particular value can be found with a
 multi-valued session attribute.
 
@@ -349,8 +347,6 @@ found.
 inGroup
 ~~~~~~~
 
-.. versionadded:: 2.0.8
-
 This function lets you test if the user is in a given group. It is
 case-insensitive.
 
@@ -405,11 +401,8 @@ IP address is local*:
 varIsInUri
 ~~~~~~~~~~
 
-.. versionadded:: 2.0.7
-
-Function to check if a variable is in requested URI
-
-Example *check if $uid is in /check-auth/ URI*:
+Function to check if a variable is in requested URI. Example *check if
+$uid is in /check-auth/ URI*:
 
 .. code-block:: perl
 
@@ -429,7 +422,3 @@ Example *check if $uid is in /check-auth/ URI*:
    https://test1.example.com/check-auth/rtyler/api  -> false
    https://test1.example.com/check-auth/rtyler      -> false
 
-.. |image0| image:: /documentation/new.png
-   :width: 35px
-.. |image1| image:: /documentation/new.png
-   :width: 35px

doc/sources/admin/handlerarch.rst

@@ -11,6 +11,16 @@ Handlers are build on rows of modules:
 -  Library types if needed *(may inherit from Main)*
 -  Main: the main handler library
 
+Since version 2.1, wrappers are autogenerated when undefined. Generated
+code is simply:
+
+.. code:: perl
+
+   package Lemonldap::NG::Handler::Platform::Type;
+   use base 'Lemonldap::NG::Handler::Lib::Type',
+     'Lemonldap::NG::Handler::Platform::Main';
+   1;
+
 Overview of Handler packages
 ----------------------------
 

doc/sources/admin/index_protocols.rst

@@ -6,4 +6,4 @@ Standard SSO protocols
 
    samlservice
    openidconnectservice
-   
+

doc/sources/admin/installdeb.rst

@@ -95,8 +95,7 @@ Then, add the official LL::NG repository
        version
     -  Use the ``testing`` repository to get packages from next major
        version
-    -  Use the ``2.0`` repository to avoid upgrade to next major version
-
+    -  Use the ``2.1`` repository to avoid upgrade to next major version
 
 
 Finally update your APT cache:

doc/sources/admin/installrpm.rst

@@ -95,7 +95,7 @@ Run this to update packages cache:
 
     You must also install the EPEL repository for non-core
     dependencies. See :ref:`prerequisites and dependencies<prereq-yum>`
-    chapter for more. 
+    chapter for more.
 
 Manual download
 ~~~~~~~~~~~~~~~

doc/sources/admin/managertests.rst

@@ -5,7 +5,7 @@ Each time you save a configuration, Manager launch a lot of tests:
 
 -  unit tests for each key: they are declared in
    Lemonldap::NG::Manager::Attributes *(source
-   Lemonldap::NG::Manager::Build::Attributes)* 
+   Lemonldap::NG::Manager::Build::Attributes)*
 -  more advanced tests declared in Lemonldap::NG::Manager::Conf::Tests
 
 In some case *(conf overridden in INI file,...)*, you may have to ignore

doc/sources/admin/notifications.rst

@@ -356,7 +356,7 @@ Available options:
 
 -  **Server**: Enable/Disable notification server
 -  **Default condition**: Condition appended to ALL notifications
-   inserted by notification server (JSON format only)
+   inserted by notification server
 -  **Notification parameters to send**: Notifications parameters
    returned by ``GET`` method
 -  **HTTP methods**: Enable/Disable HTTP methods

doc/sources/admin/parameterlist.rst

@@ -18,7 +18,6 @@ Key name                                                Documentation
 ADPwdExpireWarning                                      AD password expire warning                                                           ✔
 ADPwdMaxAge                                             AD password max age                                                                  ✔
 AuthLDAPFilter                                          LDAP filter for auth search                                                          ✔
-LDAPFilter                                              Default LDAP filter                                                                  ✔
 SMTPAuthPass                                            Password to use to send mails                                                        ✔
 SMTPAuthUser                                            Login to use to send mails                                                           ✔
 SMTPPort                                                Fix SMTP port                                                                        ✔

doc/sources/admin/plugincustom.rst

@@ -247,17 +247,10 @@ First, create a file to contain the plugin code ::
 Enabling your plugin
 ~~~~~~~~~~~~~~~~~~~~
 
-Declare the plugin in lemonldap-ng.ini:
+Declare the plugin in Manager, in General Parameters > Plugins > Custom
+Plugins.
 
-::
-
-   vi /etc/lemonldap-ng/lemonldap-ng.ini
-
-.. code-block:: perl
-
-   [portal]
-   customPlugins = Lemonldap::NG::Portal::MyPlugin
-   ;customPlugins = Lemonldap::NG::Portal::MyPlugin1, Lemonldap::NG::Portal::MyPlugin2, ...
-
-Since 2.0.7, it can also be configured in Manager, in General Parameters
-> Plugins > Custom Plugins.
+-  Modules list: for example
+   ``Lemonldap::NG::Portal::MyPlugin1, Lemonldap::NG::Portal::MyPlugin2``
+-  Additional parameters: parameters that will be available in
+   ``customPluginsParams`` configuration key

doc/sources/admin/portalcustom.rst

@@ -346,7 +346,6 @@ Password management
    revealed. Disabled by default.
 
 Password Policy
----------------
 
 .. tip::
 

doc/sources/admin/prereq.rst

@@ -65,8 +65,8 @@ Core
 -  Regexp::Common
 -  SOAP::Lite *(optional)*
 -  String::Random
--  Text::Unidecode *(Since LemonLDAP::NG 2.0.5)*
 -  Unicode::String
+-  Text::Unidecode
 -  URI
 -  URI::Escape
 
@@ -88,7 +88,6 @@ SAML2
 
 -  `Lasso <http://lasso.entrouvert.org/>`__
 -  GLib
--  XML::Simple
 
 Second factor
 ~~~~~~~~~~~~~
@@ -135,11 +134,11 @@ SMTP & Reset password/certificate by mail
 Unit tests
 ~~~~~~~~~~
 
--  Authen::U2F::Tester
--  Crypt::U2F::Server
--  Test::MockObject
--  Test::Output
 -  Test::POD
+-  Test::MockObject
+-  Crypt::U2F::Server
+-  Authen::U2F::Tester
+-  Test::Output
 -  Time::Fake
 -  YAML
 
@@ -169,7 +168,7 @@ Perl dependencies:
 
 ::
 
-   apt install libapache-session-perl libcache-cache-perl libclone-perl libconfig-inifiles-perl libconvert-pem-perl libcrypt-openssl-bignum-perl libcrypt-openssl-rsa-perl libcrypt-openssl-x509-perl libcrypt-rijndael-perl libdbi-perl libdigest-hmac-perl libemail-sender-perl libgd-securityimage-perl libhtml-template-perl libio-string-perl libjson-perl libmime-tools-perl libmouse-perl libnet-ldap-perl libplack-perl libregexp-assemble-perl libregexp-common-perl libsoap-lite-perl libstring-random-perl libunicode-string-perl liburi-perl libwww-perl libxml-simple-perl libxml-libxslt-perl libcrypt-urandom-perl libtext-unidecode-perl libcookie-baker-xs-perl
+   apt install libapache-session-perl libcache-cache-perl libclone-perl libconfig-inifiles-perl libconvert-pem-perl libcrypt-openssl-bignum-perl libcrypt-openssl-rsa-perl libcrypt-openssl-x509-perl libcrypt-rijndael-perl libdbi-perl libdigest-hmac-perl libemail-sender-perl libgd-securityimage-perl libhtml-template-perl libio-string-perl libjson-perl libmime-tools-perl libmouse-perl libnet-ldap-perl libplack-perl libregexp-assemble-perl libregexp-common-perl libsoap-lite-perl libstring-random-perl libunicode-string-perl liburi-perl libwww-perl libxml-libxslt-perl libcrypt-urandom-perl libtext-unidecode-perl libcookie-baker-xs-perl
 
 For Apache:
 
@@ -199,7 +198,7 @@ Perl dependencies:
 
 ::
 
-   yum install perl-Apache-Session perl-Cache-Cache perl-Clone perl-Config-IniFiles perl-Convert-PEM perl-Crypt-OpenSSL-RSA perl-Crypt-OpenSSL-X509 perl-Crypt-Rijndael perl-Digest-HMAC perl-Digest-SHA perl-GD-SecurityImage perl-HTML-Template perl-IO-String perl-JSON perl-LDAP perl-Mouse perl-Plack perl-Regexp-Assemble perl-Regexp-Common perl-SOAP-Lite perl-String-Random perl-Unicode-String perl-version perl-XML-Simple perl-Crypt-URandom perl-Email-Sender
+   yum install perl-Apache-Session perl-Cache-Cache perl-Clone perl-Config-IniFiles perl-Convert-PEM perl-Crypt-OpenSSL-RSA perl-Crypt-OpenSSL-X509 perl-Crypt-Rijndael perl-Digest-HMAC perl-Digest-SHA perl-GD-SecurityImage perl-HTML-Template perl-IO-String perl-JSON perl-LDAP perl-Mouse perl-Plack perl-Regexp-Assemble perl-Regexp-Common perl-SOAP-Lite perl-String-Random perl-Unicode-String perl-version perl-Crypt-URandom perl-Email-Sender
 
 For Apache:
 

doc/sources/admin/refreshsessionapi.rst

@@ -5,8 +5,6 @@ This plugin appends an endpoint to refresh sessions by user. It provides
 ``https://portal/refreshsession`` endpoint. Protect it by webserver
 configuration.
 
-This plugin is available with LLNG ≥ 2.0.7.
-
 Usage
 -----
 

doc/sources/admin/start.rst

@@ -1,4 +1,4 @@
-Documentation for LemonLDAP::NG 2.0
+Documentation for LemonLDAP::NG 3.0
 ===================================
 
 .. image:: logos/logo_llng_600px.png

doc/sources/admin/upgrade.rst

@@ -1,2 +1,4 @@
+.. include:: upgrade_2_1_x.rst
+.. include:: upgrade_2_1.rst
 .. include:: upgrade_2_0_x.rst
 .. include:: upgrade_2_0.rst

doc/sources/admin/upgrade_2_1.rst

@@ -0,0 +1,9 @@
+Upgrade from 2.0 to 2.1
+=======================
+
+SOAP deprecation
+----------------
+
+LLNG 2.1.x will be the last major version supporting SOAP services.
+Please start migration to :doc:`REST services<restservices>` *(available
+since 2.0.0)*.

doc/sources/admin/upgrade_2_1_x.rst

@@ -0,0 +1,10 @@
+Upgrade from 2.1.x to 2.1.y
+===========================
+
+Update from one minor version to another does not require any particular
+action. Please apply general caution as you would with any software:
+have backups and a rollback plan ready!
+
+Do not forget to read the release notes of the version you are about to
+install for any specific instructions.
+

doc/sources/admin/writingrulesand_headers.rst

@@ -132,12 +132,11 @@ There are three ways to impose users a higher authentication level:
 
 -  writing a rule based on authentication level:
    ``$authenticationLevel > 3``
--  since 2.0, set a minimum level in virtual host options (default value
-   for ALL access rules)
--  since 2.0.7, a minimum authentication level can be set for each URI
-   access rule. Useful if URI are protected by different types of
-   handler (AuthBasic -> level 2, Main -> level set by authentication
-   backend).
+-  set a minimum level in virtual host options (default value for ALL
+   access rules)
+-  a minimum authentication level can be set for each URI access rule.
+   Useful if URI are protected by different types of handler (AuthBasic
+   -> level 2, Main -> level set by authentication backend).
 
 
 .. tip::
@@ -146,6 +145,24 @@ There are three ways to impose users a higher authentication level:
     to a form that explain that a higher level is required and propose to
     reauthenticate himself.
 
+Using regexp capture in rules
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+If URL regexp captures something *(using parenthesis)*, you can use them
+in the corresponding rule using ``$_rulematch[1]``. Example: only user
+can access to its personal area:
+
+-  Regexp: ``/^public_html/(\w+)(/.*)?$``
+-  Rule: ``$uid eq $_rulematch[1]``
+
+$_rulematch is an array that contains all captured strings. First index
+is 1.
+
+
+.. warning::
+
+    This feature requires Perl ≥ 5.25.7
+
 .. _headers:
 
 Headers
@@ -209,8 +226,8 @@ headers:
 Wildcards in hostnames
 ----------------------
 
-|image1| Since 2.0, a wildcard can be used in virtualhost name (not in
-aliases !): ``*.example.com`` matches all hostnames that belong to
+Since 2.0, a wildcard can be used in virtualhost name (not in aliases
+!): ``*.example.com`` matches all hostnames that belong to
 ``example.com`` domain. Version 2.0.9 improves this and allows better
 wildcards such as ``test-*.example.com`` or ``test-%.example.com``. The
 ``%`` wilcard doesn't match subdomains.

e2e-tests/lmConf-1.json

@@ -100,7 +100,7 @@
   "cfgDate": 1428138808,
   "cfgLog": "Default configuration provided by LemonLDAP::NG team",
   "cfgNum": "1",
-  "cfgVersion": "2.0.0",
+  "cfgVersion": "2.1.0",
   "cookieName": "lemonldap",
   "customFunctions": "My::hello My::get_additional_arg",
   "demoExportedVars": {

fastcgi-server/man/llng-fastcgi-server.8p

@@ -133,7 +133,7 @@
 .\" ========================================================================
 .\"
 .IX Title "llng-fastcgi-server 8"
-.TH llng-fastcgi-server 8 "2021-08-10" "perl v5.32.1" "User Contributed Perl Documentation"
+.TH llng-fastcgi-server 8 "2021-08-01" "perl v5.32.1" "User Contributed Perl Documentation"
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l

fastcgi-server/sbin/llng-fastcgi-server

@@ -7,7 +7,7 @@ use POSIX;
 use Getopt::Long;
 use Lemonldap::NG::Handler::Main::Reload;
 
-our $VERSION = '2.0.0';
+our $VERSION = '2.1.0';
 
 our (
     $foreground,  $engine,              $nproc,  $pidFile,

lemonldap-ng-common/MANIFEST

@@ -37,6 +37,7 @@ lib/Lemonldap/NG/Common/Conf/Wrapper.pm
 lib/Lemonldap/NG/Common/Crypto.pm
 lib/Lemonldap/NG/Common/EmailTransport.pm
 lib/Lemonldap/NG/Common/FormEncode.pm
+lib/Lemonldap/NG/Common/IO/Filter.pm
 lib/Lemonldap/NG/Common/IPv6.pm
 lib/Lemonldap/NG/Common/JWT.pm
 lib/Lemonldap/NG/Common/Logger/_Duplicate.pm
@@ -91,8 +92,11 @@ t/35-Common-Crypto.t
 t/36-Common-Regexp.t
 t/40-Common-Session.t
 t/50-Combination-Parser.t
+t/60-Common-IO-Filter.t
 t/60-Session-Cli.t
 t/99-pod.t
+t/inc.tpl
+t/test.tpl
 tools/apache-session-mysql.sql
 tools/lmConfig.CDBI.mysql
 tools/lmConfig.RDBI.mysql

lemonldap-ng-common/META.json

@@ -4,7 +4,7 @@
       "Xavier Guimard <x.guimard@free.fr>, Clément Oudot <clement@oodo.net>"
    ],
    "dynamic_config" : 1,
-   "generated_by" : "ExtUtils::MakeMaker version 7.34, CPAN::Meta::Converter version 2.150010",
+   "generated_by" : "ExtUtils::MakeMaker version 7.44, CPAN::Meta::Converter version 2.150010",
    "license" : [
       "open_source"
    ],
@@ -78,6 +78,6 @@
       ],
       "x_MailingList" : "mailto:lemonldap-ng-dev@ow2.org"
    },
-   "version" : "v2.0.13",
+   "version" : "v2.1.0",
    "x_serialization_backend" : "JSON::PP version 4.04"
 }

lemonldap-ng-common/META.yml

@@ -10,7 +10,7 @@ build_requires:
 configure_requires:
   ExtUtils::MakeMaker: '0'
 dynamic_config: 1
-generated_by: 'ExtUtils::MakeMaker version 7.34, CPAN::Meta::Converter version 2.150010'
+generated_by: 'ExtUtils::MakeMaker version 7.44, CPAN::Meta::Converter version 2.150010'
 license: open_source
 meta-spec:
   url: http://module-build.sourceforge.net/META-spec-v1.4.html
@@ -54,5 +54,5 @@ resources:
   bugtracker: https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/issues
   homepage: http://lemonldap-ng.org/
   license: http://opensource.org/licenses/GPL-2.0
-version: v2.0.13
+version: v2.1.0
 x_serialization_backend: 'CPAN::Meta::YAML version 0.018'

lemonldap-ng-common/lib/Lemonldap/NG/Common.pm

@@ -1,6 +1,6 @@
 package Lemonldap::NG::Common;
 
-our $VERSION = '2.0.13';
+our $VERSION = '2.1.0';
 
 1;
 __END__

lemonldap-ng-common/lib/Lemonldap/NG/Common/Apache/Session.pm

@@ -15,7 +15,7 @@ use Lemonldap::NG::Common::Apache::Session::Serialize::JSON;
 use Lemonldap::NG::Common::Apache::Session::Store;
 use Lemonldap::NG::Common::Apache::Session::Lock;
 
-our $VERSION = '2.0.6';
+our $VERSION = '2.1.0';
 
 sub _load {
     my ( $backend, $func ) = @_;

lemonldap-ng-common/lib/Lemonldap/NG/Common/Apache/Session/Generate/SHA256.pm

@@ -11,7 +11,7 @@ package Lemonldap::NG::Common::Apache::Session::Generate::SHA256;
 use strict;
 use Crypt::URandom;
 
-our $VERSION = '2.0.2';
+our $VERSION = '2.1.0';
 
 sub generate {
     my $session = shift;
@@ -21,17 +21,8 @@ sub generate {
         $length = $session->{args}->{IDLength};
     }
 
-    eval {
-        $session->{data}->{_session_id} =
-          unpack( 'H*', Crypt::URandom::urandom( int( $length / 2 ) ) );
-    };
-    if ($@) {
-        print STDERR "Crypt::URandom::urandom failed: $@\n";
-        require Digest::SHA;
-        $session->{data}->{_session_id} =
-          substr( Digest::SHA::sha256_hex( time() . {} . rand() . $$ ),
-            0, $length );
-    }
+    $session->{data}->{_session_id} =
+      unpack( 'H*', Crypt::URandom::urandom( int( $length / 2 ) ) );
 }
 
 sub validate {

lemonldap-ng-common/lib/Lemonldap/NG/Common/Apache/Session/Lock.pm

@@ -3,7 +3,7 @@ package Lemonldap::NG::Common::Apache::Session::Lock;
 
 use strict;
 
-our $VERSION = '2.0.0';
+our $VERSION = '2.1.0';
 
 sub new {
     my $class   = shift;

lemonldap-ng-common/lib/Lemonldap/NG/Common/Apache/Session/REST.pm

@@ -5,7 +5,7 @@ use Lemonldap::NG::Common::UserAgent;
 use Lemonldap::NG::Common::Apache::Session::Generate::SHA256;
 use JSON qw(from_json to_json);
 
-our $VERSION = '2.0.5';
+our $VERSION = '2.1.0';
 
 our @ISA = qw(Lemonldap::NG::Common::Apache::Session::Generate::SHA256);
 

lemonldap-ng-common/lib/Lemonldap/NG/Common/Apache/Session/SOAP.pm

@@ -8,7 +8,7 @@ package Lemonldap::NG::Common::Apache::Session::SOAP;
 use strict;
 use SOAP::Lite;
 
-our $VERSION = '2.0.0';
+our $VERSION = '2.1.0';
 
 #parameter proxy Url of SOAP service
 #parameter proxyOptions SOAP::Lite options

lemonldap-ng-common/lib/Lemonldap/NG/Common/Apache/Session/Serialize/JSON.pm

@@ -3,7 +3,7 @@ package Lemonldap::NG::Common::Apache::Session::Serialize::JSON;
 use strict;
 use JSON qw(to_json from_json);
 
-our $VERSION = '2.0.0';
+our $VERSION = '2.1.0';
 
 sub serialize {
     my $session = shift;

lemonldap-ng-common/lib/Lemonldap/NG/Common/Apache/Session/Store.pm

@@ -3,7 +3,7 @@ package Lemonldap::NG::Common::Apache::Session::Store;
 
 use strict;
 
-our $VERSION = '2.0.10';
+our $VERSION = '2.1.0';
 
 sub new {
     my $class = shift;

lemonldap-ng-common/lib/Lemonldap/NG/Common/Cli.pm

@@ -5,10 +5,10 @@ use Mouse;
 use Lemonldap::NG::Common::Conf;
 use Lemonldap::NG::Common::EmailTransport;
 
-our $VERSION = '2.0.8';
-
 extends 'Lemonldap::NG::Common::PSGI::Cli::Lib';
 
+our $VERSION = '2.1.0';
+
 has confAccess => (
     is      => 'rw',
     builder => sub {

lemonldap-ng-common/lib/Lemonldap/NG/Common/CliSessions.pm

@@ -9,7 +9,7 @@ use Lemonldap::NG::Common::Apache::Session;
 use Lemonldap::NG::Common::Session;
 use Lemonldap::NG::Common::Util qw/getPSessionID genId2F/;
 
-our $VERSION = '2.0.9';
+our $VERSION = '2.1.0';
 
 has opts => ( is => 'rw' );
 

lemonldap-ng-common/lib/Lemonldap/NG/Common/Combination/Parser.pm

@@ -5,7 +5,7 @@ use Mouse;
 use Safe;
 use constant PE_OK => 0;
 
-our $VERSION = '2.0.6';
+our $VERSION = '2.1.0';
 
 # Handle "if then else" (used during init)
 # return a sub that can be called with ($req) to get a [array] of combination

lemonldap-ng-common/lib/Lemonldap/NG/Common/Conf.pm

@@ -27,7 +27,7 @@ use Config::IniFiles;
 #inherits Lemonldap::NG::Common::Conf::Backends::SOAP
 #inherits Lemonldap::NG::Common::Conf::Backends::LDAP
 
-our $VERSION = '2.0.14';
+our $VERSION = '2.1.0';
 our $msg     = '';
 our $iniObj;
 

lemonldap-ng-common/lib/Lemonldap/NG/Common/Conf/AccessLib.pm

@@ -11,7 +11,7 @@ has 'configStorage' => ( is => 'rw', isa => 'HashRef', default => sub { {} } );
 has 'currentConf' => ( is => 'rw', required => 1, default => sub { {} } );
 has 'protection'  => ( is => 'rw', isa      => 'Str', default => 'manager' );
 
-our $VERSION = '2.0.11';
+our $VERSION = '2.1.0';
 
 ## @method Lemonldap::NG::Common::Conf confAcc()
 # Configuration access object

lemonldap-ng-common/lib/Lemonldap/NG/Common/Conf/Backends/CDBI.pm

@@ -5,7 +5,7 @@ use utf8;
 use JSON;
 use Lemonldap::NG::Common::Conf::Backends::_DBI;
 
-our $VERSION = '2.0.0';
+our $VERSION = '2.1.0';
 our @ISA     = qw(Lemonldap::NG::Common::Conf::Backends::_DBI);
 
 sub store {

lemonldap-ng-common/lib/Lemonldap/NG/Common/Conf/Backends/DBI.pm

@@ -5,7 +5,7 @@ use utf8;
 use Lemonldap::NG::Common::Conf::Serializer;
 use Lemonldap::NG::Common::Conf::Backends::_DBI;
 
-our $VERSION = '2.0.0';
+our $VERSION = '2.1.0';
 our @ISA     = qw(Lemonldap::NG::Common::Conf::Backends::_DBI);
 
 sub store {

lemonldap-ng-common/lib/Lemonldap/NG/Common/Conf/Backends/File.pm

@@ -5,7 +5,7 @@ use Lemonldap::NG::Common::Conf::Constants;    #inherits
 use JSON;
 use Encode;
 
-our $VERSION = '2.0.9';
+our $VERSION = '2.1.0';
 our $initDone;
 
 sub Lemonldap::NG::Common::Conf::_lock {

lemonldap-ng-common/lib/Lemonldap/NG/Common/Conf/Backends/JSONFile.pm

@@ -5,7 +5,7 @@ package Lemonldap::NG::Common::Conf::Backends::JSONFile;
 use Lemonldap::NG::Common::Conf::Backends::File;
 
 our @ISA     = qw(Lemonldap::NG::Common::Conf::Backends::File);
-our $VERSION = '2.0.0';
+our $VERSION = '2.1.0';
 
 1;
 

lemonldap-ng-common/lib/Lemonldap/NG/Common/Conf/Backends/LDAP.pm

@@ -11,7 +11,7 @@ use Net::LDAP;
 use Lemonldap::NG::Common::Conf::Constants;    #inherits
 use Lemonldap::NG::Common::Conf::Serializer;
 
-our $VERSION = '2.0.0';
+our $VERSION = '2.1.0';
 
 BEGIN {
     *Lemonldap::NG::Common::Conf::ldap = \&ldap;

lemonldap-ng-common/lib/Lemonldap/NG/Common/Conf/Backends/Local.pm

@@ -3,7 +3,7 @@ package Lemonldap::NG::Common::Conf::Backends::Local;
 use strict;
 use Lemonldap::NG::Common::Conf::Constants;
 
-our $VERSION = '2.0.0';
+our $VERSION = '2.1.0';
 
 sub prereq {
     return 1;

lemonldap-ng-common/lib/Lemonldap/NG/Common/Conf/Backends/MongoDB.pm

@@ -5,7 +5,7 @@ use utf8;
 use strict;
 use Lemonldap::NG::Common::Conf::Serializer;
 
-our $VERSION = '2.0.1';
+our $VERSION = '2.1.0';
 our $initDone;
 
 sub prereq {

lemonldap-ng-common/lib/Lemonldap/NG/Common/Conf/Backends/RDBI.pm

@@ -5,7 +5,7 @@ use utf8;
 use Lemonldap::NG::Common::Conf::Serializer;
 use Lemonldap::NG::Common::Conf::Backends::_DBI;
 
-our $VERSION = '2.0.12';
+our $VERSION = '2.1.0';
 our @ISA     = qw(Lemonldap::NG::Common::Conf::Backends::_DBI);
 
 sub store {

lemonldap-ng-common/lib/Lemonldap/NG/Common/Conf/Backends/REST.pm

@@ -4,7 +4,7 @@ use strict;
 use Lemonldap::NG::Common::UserAgent;
 use JSON qw(from_json to_json);
 
-our $VERSION = '2.0.0';
+our $VERSION = '2.1.0';
 
 #parameter baseUrl, user, password, realm, lwpOpts
 

lemonldap-ng-common/lib/Lemonldap/NG/Common/Conf/Backends/SOAP.pm

@@ -5,7 +5,7 @@ use utf8;
 use SOAP::Lite;
 use Lemonldap::NG::Common::Conf::Constants;
 
-our $VERSION = '2.0.0';
+our $VERSION = '2.1.0';
 
 #parameter proxy Url of SOAP service
 #parameter proxyOptions SOAP::Lite parameters

lemonldap-ng-common/lib/Lemonldap/NG/Common/Conf/Backends/YAMLFile.pm

@@ -5,7 +5,7 @@ use Lemonldap::NG::Common::Conf::Constants;    #inherits
 use YAML qw();
 use Encode;
 
-our $VERSION = '2.0.9';
+our $VERSION = '2.1.0';
 our $initDone;
 $YAML::Numify = 1;
 

lemonldap-ng-common/lib/Lemonldap/NG/Common/Conf/Backends/_DBI.pm

@@ -5,7 +5,7 @@ use utf8;
 use DBI;
 use Lemonldap::NG::Common::Conf::Constants;    #inherits
 
-our $VERSION = '2.0.12';
+our $VERSION = '2.1.0';
 our @ISA     = qw(Lemonldap::NG::Common::Conf::Constants);
 our ( @EXPORT, %EXPORT_TAGS );
 

lemonldap-ng-common/lib/Lemonldap/NG/Common/Conf/Compact.pm

@@ -4,7 +4,7 @@ use strict;
 use Mouse;
 use Lemonldap::NG::Common::Conf::ReConstants;
 
-our $VERSION = '2.0.8';
+our $VERSION = '2.1.0';
 
 sub compactConf {
     my ( $self, $conf ) = @_;

lemonldap-ng-common/lib/Lemonldap/NG/Common/Conf/Constants.pm

@@ -5,7 +5,7 @@ use strict;
 use Exporter 'import';
 use base qw(Exporter);
 
-our $VERSION = '2.0.14';
+our $VERSION = '2.1.0';
 
 # CONSTANTS
 

lemonldap-ng-common/lib/Lemonldap/NG/Common/Conf/DefaultValues.pm

@@ -1,7 +1,7 @@
 # This file is generated by Lemonldap::NG::Manager::Build. Don't modify it by hand
 package Lemonldap::NG::Common::Conf::DefaultValues;
 
-our $VERSION = '2.0.14';
+our $VERSION = '2.1.0';
 
 sub defaultValues {
     return {
@@ -18,18 +18,18 @@ sub defaultValues {
         'authChoiceParam' => 'lmAuth',
         'authentication'  => 'Demo',
         'available2F'     => 'UTOTP,TOTP,U2F,REST,Mail2F,Ext2F,Yubikey,Radius',
-        'available2FSelfRegistration'        => 'TOTP,U2F,Yubikey',
-        'bruteForceProtectionLockTimes'      => '15, 30, 60, 300, 600',
-        'bruteForceProtectionMaxAge'         => 300,
-        'bruteForceProtectionMaxFailed'      => 3,
-        'bruteForceProtectionMaxLockTime'    => 900,
-        'bruteForceProtectionTempo'          => 30,
-        'captcha_mail_enabled'               => 1,
-        'captcha_register_enabled'           => 1,
-        'captcha_size'                       => 6,
-        'casAccessControlPolicy'             => 'none',
-        'casAuthnLevel'                      => 1,
-        'certificateResetByMailCeaAttribute' => 'description',
+        'available2FSelfRegistration'                => 'TOTP,U2F,Yubikey',
+        'bruteForceProtectionLockTimes'              => '15, 30, 60, 300, 600',
+        'bruteForceProtectionMaxAge'                 => 300,
+        'bruteForceProtectionMaxFailed'              => 3,
+        'bruteForceProtectionMaxLockTime'            => 900,
+        'bruteForceProtectionTempo'                  => 30,
+        'captcha_mail_enabled'                       => 1,
+        'captcha_register_enabled'                   => 1,
+        'captcha_size'                               => 6,
+        'casAccessControlPolicy'                     => 'none',
+        'casAuthnLevel'                              => 1,
+        'certificateResetByMailCeaAttribute'         => 'description',
         'certificateResetByMailCertificateAttribute' =>
           'userCertificate;binary',
         'certificateResetByMailURL' =>
@@ -90,6 +90,7 @@ sub defaultValues {
         'facebookExportedVars' => {},
         'facebookUserField'    => 'id',
         'failedLoginNumber'    => 5,
+        'favAppsMaxNumber'     => 3,
         'findUserControl'      => '^[*\\w]+$',
         'findUserWildcard'     => '*',
         'formTimeout'          => 120,
@@ -100,7 +101,7 @@ sub defaultValues {
         'globalLogoutTimer'    => 1,
         'globalStorage'        => 'Apache::Session::File',
         'globalStorageOptions' => {
-            'Directory' => '/var/lib/lemonldap-ng/sessions/',
+            'Directory'      => '/var/lib/lemonldap-ng/sessions/',
             'generateModule' =>
               'Lemonldap::NG::Common::Apache::Session::Generate::SHA256',
             'LockDirectory' => '/var/lib/lemonldap-ng/sessions/lock/'
@@ -173,20 +174,20 @@ sub defaultValues {
         'locationRules' => {
             'default' => 'deny'
         },
-        'logoutServices'         => {},
-        'macros'                 => {},
-        'mail2fActivation'       => 0,
-        'mail2fCodeRegex'        => '\\d{6}',
-        'mailCharset'            => 'utf-8',
-        'mailFrom'               => 'noreply@example.com',
-        'mailSessionKey'         => 'mail',
-        'mailTimeout'            => 0,
-        'mailUrl'                => 'http://auth.example.com/resetpwd',
-        'managerDn'              => '',
-        'managerPassword'        => '',
-        'max2FDevices'           => 10,
-        'max2FDevicesNameLength' => 20,
-        'multiValuesSeparator'   => '; ',
+        'logoutServices'            => {},
+        'macros'                    => {},
+        'mail2fActivation'          => 0,
+        'mail2fCodeRegex'           => '\\d{6}',
+        'mailCharset'               => 'utf-8',
+        'mailFrom'                  => 'noreply@example.com',
+        'mailSessionKey'            => 'mail',
+        'mailTimeout'               => 0,
+        'mailUrl'                   => 'http://auth.example.com/resetpwd',
+        'managerDn'                 => '',
+        'managerPassword'           => '',
+        'max2FDevices'              => 10,
+        'max2FDevicesNameLength'    => 20,
+        'multiValuesSeparator'      => '; ',
         'mySessionAuthorizedRWKeys' =>
           [ '_appsListOrder', '_oidcConnectedRP', '_oidcConsents' ],
         'newLocationWarningLocationAttribute'        => 'ipAddr',
@@ -194,7 +195,7 @@ sub defaultValues {
         'newLocationWarningMaxValues'                => '0',
         'notificationDefaultCond'                    => '',
         'notificationServerPOST'                     => 1,
-        'notificationServerSentAttributes' =>
+        'notificationServerSentAttributes'           =>
           'uid reference date title subtitle text check',
         'notificationsMaxRetrieve'   => 3,
         'notificationStorage'        => 'File',
@@ -248,7 +249,7 @@ sub defaultValues {
         'passwordPolicyMinUpper'              => 0,
         'passwordPolicySpecialChar'           => '__ALL__',
         'passwordResetAllowedRetries'         => 3,
-        'persistentSessionAttributes' =>
+        'persistentSessionAttributes'         =>
           '_loginHistory _2fDevices notification_',
         'port'                          => -1,
         'portal'                        => 'http://auth.example.com/',
@@ -256,10 +257,11 @@ sub defaultValues {
         'portalCheckLogins'             => 1,
         'portalDisplayAppslist'         => 1,
         'portalDisplayChangePassword'   => '$_auth =~ /^(LDAP|DBI|Demo)$/',
+        'portalDisplayFavApps'          => 1,
         'portalDisplayGeneratePassword' => 1,
         'portalDisplayLoginHistory'     => 1,
         'portalDisplayLogout'           => 1,
-        'portalDisplayOidcConsents' =>
+        'portalDisplayOidcConsents'     =>
           '$_oidcConsents && $_oidcConsents =~ /\\w+/',
         'portalDisplayRefreshMyRights' => 1,
         'portalDisplayRegister'        => 1,
@@ -287,11 +289,11 @@ sub defaultValues {
               'http://auth.example.com/Lemonldap/NG/Common/PSGI/SOAPService',
             'proxy' => 'http://auth.example.com/sessions'
         },
-        'requireToken'       => 1,
-        'rest2fActivation'   => 0,
-        'restAuthnLevel'     => 2,
-        'restClockTolerance' => 15,
-        'sameSite'           => '',
+        'requireToken'                                         => 1,
+        'rest2fActivation'                                     => 0,
+        'restAuthnLevel'                                       => 2,
+        'restClockTolerance'                                   => 15,
+        'sameSite'                                             => '',
         'samlAttributeAuthorityDescriptorAttributeServiceSOAP' =>
           'urn:oasis:names:tc:SAML:2.0:bindings:SOAP;#PORTAL#/saml/AA/SOAP;',
         'samlAuthnContextMapKerberos'                   => 4,
@@ -331,7 +333,7 @@ sub defaultValues {
 '0;1;urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact;#PORTAL#/saml/proxySingleSignOnArtifact',
         'samlSPSSODescriptorAssertionConsumerServiceHTTPPost' =>
 '1;0;urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST;#PORTAL#/saml/proxySingleSignOnPost',
-        'samlSPSSODescriptorAuthnRequestsSigned' => 1,
+        'samlSPSSODescriptorAuthnRequestsSigned'         => 1,
         'samlSPSSODescriptorSingleLogoutServiceHTTPPost' =>
 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST;#PORTAL#/saml/proxySingleLogout;#PORTAL#/saml/proxySingleLogoutReturn',
         'samlSPSSODescriptorSingleLogoutServiceHTTPRedirect' =>
@@ -343,7 +345,7 @@ sub defaultValues {
         'sfEngine'                                => '::2F::Engines::Default',
         'sfManagerRule'                           => 1,
         'sfRemovedMsgRule'                        => 0,
-        'sfRemovedNotifMsg' =>
+        'sfRemovedNotifMsg'                       =>
 '_removedSF_ expired second factor(s) has/have been removed (_nameSF_)!',
         'sfRemovedNotifRef'       => 'RemoveSF',
         'sfRemovedNotifTitle'     => 'Second factor notification',

lemonldap-ng-common/lib/Lemonldap/NG/Common/Conf/RESTServer.pm

@@ -6,7 +6,7 @@ use Mouse;
 use Lemonldap::NG::Common::Conf::Constants;
 use Lemonldap::NG::Common::Conf::ReConstants;
 
-our $VERSION = '2.0.12';
+our $VERSION = '2.1.0';
 
 extends 'Lemonldap::NG::Common::Conf::AccessLib';
 

lemonldap-ng-common/lib/Lemonldap/NG/Common/Conf/ReConstants.pm

@@ -5,7 +5,7 @@ use strict;
 use Exporter 'import';
 use base qw(Exporter);
 
-our $VERSION = '2.0.14';
+our $VERSION = '2.1.0';
 
 our %EXPORT_TAGS = ( 'all' => [qw($simpleHashKeys $doubleHashKeys $specialNodeKeys $casAppMetaDataNodeKeys $casSrvMetaDataNodeKeys $oidcOPMetaDataNodeKeys $oidcRPMetaDataNodeKeys $samlIDPMetaDataNodeKeys $samlSPMetaDataNodeKeys $virtualHostKeys $specialNodeHash $authParameters $issuerParameters $samlServiceParameters $oidcServiceParameters $casServiceParameters)] );
 our @EXPORT_OK   = ( @{ $EXPORT_TAGS{'all'} } );
@@ -37,7 +37,7 @@ our $authParameters = {
   apacheParams => [qw(apacheAuthnLevel)],
   casParams => [qw(casAuthnLevel)],
   choiceParams => [qw(authChoiceParam authChoiceModules authChoiceAuthBasic authChoiceFindUser)],
-  combinationParams => [qw(combination combModules)],
+  combinationParams => [qw(combination combModules combinationForms)],
   customParams => [qw(customAuth customUserDB customPassword customRegister customResetCertByMail customAddParams)],
   dbiParams => [qw(dbiAuthnLevel dbiExportedVars dbiAuthChain dbiAuthUser dbiAuthPassword dbiUserChain dbiUserUser dbiUserPassword dbiAuthTable dbiUserTable dbiAuthLoginCol dbiAuthPasswordCol dbiPasswordMailCol userPivot dbiAuthPasswordHash dbiDynamicHashEnabled dbiDynamicHashValidSchemes dbiDynamicHashValidSaltedSchemes dbiDynamicHashNewPasswordScheme)],
   demoParams => [qw(demoExportedVars)],
@@ -45,7 +45,7 @@ our $authParameters = {
   githubParams => [qw(githubAuthnLevel githubClientID githubClientSecret githubUserField githubScope)],
   gpgParams => [qw(gpgAuthnLevel gpgDb)],
   kerberosParams => [qw(krbAuthnLevel krbKeytab krbByJs krbRemoveDomain krbAllowedDomains)],
-  ldapParams => [qw(ldapAuthnLevel ldapExportedVars ldapServer ldapPort ldapVerify ldapBase managerDn managerPassword ldapTimeout ldapIOTimeout ldapVersion ldapRaw ldapCAFile ldapCAPath LDAPFilter AuthLDAPFilter mailLDAPFilter ldapSearchDeref ldapGroupBase ldapGroupObjectClass ldapGroupAttributeName ldapGroupAttributeNameUser ldapGroupAttributeNameSearch ldapGroupDecodeSearchedValue ldapGroupRecursive ldapGroupAttributeNameGroup ldapPpolicyControl ldapSetPassword ldapChangePasswordAsUser ldapPwdEnc ldapUsePasswordResetAttribute ldapPasswordResetAttribute ldapPasswordResetAttributeValue ldapAllowResetExpiredPassword ldapGetUserBeforePasswordChange ldapITDS)],
+  ldapParams => [qw(ldapAuthnLevel ldapExportedVars ldapServer ldapPort ldapVerify ldapBase managerDn managerPassword ldapTimeout ldapIOTimeout ldapVersion ldapRaw ldapCAFile ldapCAPath AuthLDAPFilter mailLDAPFilter ldapSearchDeref ldapGroupBase ldapGroupObjectClass ldapGroupAttributeName ldapGroupAttributeNameUser ldapGroupAttributeNameSearch ldapGroupDecodeSearchedValue ldapGroupRecursive ldapGroupAttributeNameGroup ldapPpolicyControl ldapSetPassword ldapChangePasswordAsUser ldapPwdEnc ldapUsePasswordResetAttribute ldapPasswordResetAttribute ldapPasswordResetAttributeValue ldapAllowResetExpiredPassword ldapGetUserBeforePasswordChange ldapITDS)],
   linkedinParams => [qw(linkedInAuthnLevel linkedInClientID linkedInClientSecret linkedInFields linkedInUserField linkedInScope)],
   nullParams => [qw(nullAuthnLevel)],
   oidcParams => [qw(oidcAuthnLevel oidcRPCallbackGetParam oidcRPStateTimeout)],
@@ -69,6 +69,6 @@ our $issuerParameters = {
   issuerOptions => [qw(issuersTimeout)],
 };
 our $samlServiceParameters = [qw(samlEntityID samlServicePrivateKeySig samlServicePrivateKeySigPwd samlServicePublicKeySig samlServicePrivateKeyEnc samlServicePrivateKeyEncPwd samlServicePublicKeyEnc samlServiceUseCertificateInResponse samlServiceSignatureMethod samlNameIDFormatMapEmail samlNameIDFormatMapX509 samlNameIDFormatMapWindows samlNameIDFormatMapKerberos samlAuthnContextMapPassword samlAuthnContextMapPasswordProtectedTransport samlAuthnContextMapTLSClient samlAuthnContextMapKerberos samlOrganizationDisplayName samlOrganizationName samlOrganizationURL samlSPSSODescriptorAuthnRequestsSigned samlSPSSODescriptorWantAssertionsSigned samlSPSSODescriptorSingleLogoutServiceHTTPRedirect samlSPSSODescriptorSingleLogoutServiceHTTPPost samlSPSSODescriptorSingleLogoutServiceSOAP samlSPSSODescriptorAssertionConsumerServiceHTTPArtifact samlSPSSODescriptorAssertionConsumerServiceHTTPPost samlSPSSODescriptorArtifactResolutionServiceArtifact samlIDPSSODescriptorWantAuthnRequestsSigned samlIDPSSODescriptorSingleSignOnServiceHTTPRedirect samlIDPSSODescriptorSingleSignOnServiceHTTPPost samlIDPSSODescriptorSingleSignOnServiceHTTPArtifact samlIDPSSODescriptorSingleLogoutServiceHTTPRedirect samlIDPSSODescriptorSingleLogoutServiceHTTPPost samlIDPSSODescriptorSingleLogoutServiceSOAP samlIDPSSODescriptorArtifactResolutionServiceArtifact samlAttributeAuthorityDescriptorAttributeServiceSOAP samlMetadataForceUTF8 samlRelayStateTimeout samlUseQueryStringSpecific samlOverrideIDPEntityID samlStorage samlStorageOptions samlCommonDomainCookieActivation samlCommonDomainCookieDomain samlCommonDomainCookieReader samlCommonDomainCookieWriter samlDiscoveryProtocolActivation samlDiscoveryProtocolURL samlDiscoveryProtocolPolicy samlDiscoveryProtocolIsPassive)];
-our $oidcServiceParameters = [qw(oidcServiceMetaDataIssuer oidcServiceMetaDataAuthorizeURI oidcServiceMetaDataTokenURI oidcServiceMetaDataUserInfoURI oidcServiceMetaDataJWKSURI oidcServiceMetaDataRegistrationURI oidcServiceMetaDataIntrospectionURI oidcServiceMetaDataEndSessionURI oidcServiceMetaDataCheckSessionURI oidcServiceMetaDataFrontChannelURI oidcServiceMetaDataBackChannelURI oidcServiceMetaDataAuthnContext oidcServicePrivateKeySig oidcServicePublicKeySig oidcServiceKeyIdSig oidcServiceAllowDynamicRegistration oidcServiceAllowOnlyDeclaredScopes oidcServiceAllowAuthorizationCodeFlow oidcServiceAllowImplicitFlow oidcServiceAllowHybridFlow oidcServiceAuthorizationCodeExpiration oidcServiceAccessTokenExpiration oidcServiceIDTokenExpiration oidcServiceOfflineSessionExpiration oidcStorage oidcStorageOptions oidcServiceDynamicRegistrationExportedVars oidcServiceDynamicRegistrationExtraClaims)];
+our $oidcServiceParameters = [qw(oidcServiceMetaDataAuthorizeURI oidcServiceMetaDataTokenURI oidcServiceMetaDataUserInfoURI oidcServiceMetaDataJWKSURI oidcServiceMetaDataRegistrationURI oidcServiceMetaDataIntrospectionURI oidcServiceMetaDataEndSessionURI oidcServiceMetaDataCheckSessionURI oidcServiceMetaDataFrontChannelURI oidcServiceMetaDataBackChannelURI oidcServiceMetaDataAuthnContext oidcServicePrivateKeySig oidcServicePublicKeySig oidcServiceKeyIdSig oidcServiceAllowDynamicRegistration oidcServiceAllowOnlyDeclaredScopes oidcServiceAllowAuthorizationCodeFlow oidcServiceAllowImplicitFlow oidcServiceAllowHybridFlow oidcServiceAuthorizationCodeExpiration oidcServiceAccessTokenExpiration oidcServiceIDTokenExpiration oidcServiceOfflineSessionExpiration oidcStorage oidcStorageOptions oidcServiceDynamicRegistrationExportedVars oidcServiceDynamicRegistrationExtraClaims)];
 
 1;

lemonldap-ng-common/lib/Lemonldap/NG/Common/Conf/SAML/Metadata.pm

@@ -14,7 +14,7 @@ use MIME::Base64;
 use Safe;
 use Encode;
 
-our $VERSION = '2.0.9';
+our $VERSION = '2.1.0';
 
 my $dataStart = tell(DATA);
 

lemonldap-ng-common/lib/Lemonldap/NG/Common/Conf/Serializer.pm

@@ -6,7 +6,7 @@ use Encode;
 use JSON;
 use Lemonldap::NG::Common::Conf::Constants;
 
-our $VERSION = '2.0.12';
+our $VERSION = '2.1.0';
 
 BEGIN {
     *Lemonldap::NG::Common::Conf::normalize      = \&normalize;

lemonldap-ng-common/lib/Lemonldap/NG/Common/Conf/Wrapper.pm

@@ -3,7 +3,7 @@ package Lemonldap::NG::Common::Conf::Wrapper;
 use strict;
 use JSON;
 
-our $VERSION = '2.0.3';
+our $VERSION = '2.1.0';
 
 sub TIEHASH {
     my ( $class, $conf, $overrides ) = @_;

lemonldap-ng-common/lib/Lemonldap/NG/Common/Crypto.pm

@@ -12,32 +12,22 @@ use strict;
 use Crypt::Rijndael;
 use MIME::Base64;
 use Digest::SHA;
+use Crypt::URandom;
 use bytes;
 
-our $VERSION = '2.0.0';
-my ( $newIv, $randG, $hash );
-$hash = \&Digest::SHA::sha256;
+our $VERSION = '2.1.0';
+my $hash = \&Digest::SHA::sha256;
 
 use constant HMAC_LENGTH => 32;
 use constant IV_LENGTH   => 16;
 
-# Build initialization vector subroutine
-BEGIN {
-    eval { require Crypt::URandom; Crypt::URandom::urandom(IV_LENGTH) };
-    if ($@) {
-        $newIv = sub {
-            return bytes::substr( Digest::SHA::sha1( rand() . time . {} ),
-                0, IV_LENGTH );
-        };
-        $randG = sub { return int( rand( $_[0] ) ) };
-    }
-    else {
-        $newIv = sub { return Crypt::URandom::urandom(IV_LENGTH) };
-        $randG = sub {
-            return
-              int( unpack( "C", Crypt::URandom::urandom(1) ) * $_[0] / 256 );
-        };
-    }
+sub newIv {
+    return Crypt::URandom::urandom(IV_LENGTH);
+}
+
+sub randG {
+    my ($max) = @_;
+    return int( unpack( "C", Crypt::URandom::urandom(1) ) * $max / 256 );
 }
 
 our $msg;
@@ -65,7 +55,7 @@ sub new {
 # @param key that secondary key
 # @return Crypt::Rijndael object
 sub _getCipher {
-    my ( $self, $key ) = @_;
+    my ( $self, $key, $iv ) = @_;
     $key ||= "";
     $self->{ciphers}->{$key} ||=
       Crypt::Rijndael->new( $hash->( $self->{key}, $key ), $self->{mode} );
@@ -87,7 +77,7 @@ sub encrypt {
     my $iv =
       $low
       ? bytes::substr( Digest::SHA::sha1( rand() . time . {} ), 0, IV_LENGTH )
-      : $newIv->();
+      : newIv();
     my $hmac = $hash->($data);
     eval {
         $data =
@@ -190,7 +180,7 @@ sub _cryptHex {
     }
     my $iv;
     if ( $sub eq 'encrypt' ) {
-        $iv = $newIv->();
+        $iv = newIv();
     }
     $data = pack "H*", $data;
     if ( $sub eq 'decrypt' ) {
@@ -215,7 +205,7 @@ sub srandom {
     if ($@) {
         die 'Missing recommended dependency to String::Random';
     }
-    return String::Random->new( rand_gen => $randG );
+    return String::Random->new( rand_gen => \&randG );
 }
 
 1;

lemonldap-ng-common/lib/Lemonldap/NG/Common/EmailTransport.pm

@@ -6,7 +6,7 @@ use MIME::Entity;
 use Email::Sender::Simple qw(sendmail);
 use Email::Date::Format qw(email_date);
 
-our $VERSION = '2.0.10';
+our $VERSION = '2.1.0';
 
 sub new {
     my ( $class, $conf ) = @_;

lemonldap-ng-common/lib/Lemonldap/NG/Common/FormEncode.pm

@@ -4,7 +4,7 @@ use strict;
 use Exporter;
 
 our @ISA     = qw(Exporter);
-our $VERSION = '2.0.0';
+our $VERSION = '2.1.0';
 
 our @EXPORT_OK = qw(build_urlencoded);
 our @EXPORT    = qw(build_urlencoded);

lemonldap-ng-common/lib/Lemonldap/NG/Common/IO/Filter.pm

@@ -0,0 +1,176 @@
+# IO::Handle filter. Used to transform HTML::Template on the fly.
+package Lemonldap::NG::Common::IO::Filter;
+use strict;
+use IO::File;
+use Symbol;
+
+#our @ISA = ('IO::File');
+
+sub new {
+    my ( $class, $file, $opt ) = @_;
+    $opt->{_i} = ( ref $file ? $file : IO::File->new($file) )
+      or die("Unable to build IO::File object $!");
+    my $self = ref $class ? $class : bless gensym, $class;
+    tie( *$self, $class, $opt );
+    return $self;
+}
+
+sub TIEHANDLE {
+    my ( $class, $data ) = @_;
+    return bless( $data, $class );
+}
+
+sub READLINE {
+    my ($self) = shift;
+    my $res = $self->{_i}->getline;
+    foreach my $key ( keys %$self ) {
+        next if ( $key eq '_i' );
+        if ( ref( $self->{$key} ) eq 'CODE' ) {
+            $res =~ s/__LLNG_${key}__/$self->{$key}->()/gse;
+        }
+        elsif ( ref $self->{$key} eq 'ARRAY' ) {
+            next;
+        }
+        elsif ( ref $self->{$key} ) {
+            local $/ = undef;
+            $res =~ s/__LLNG_${key}__/$self->{$key}->getline/gse;
+        }
+    }
+
+    # Parse strings after code/IO
+    foreach my $key ( keys %$self ) {
+        die "Undefined value for __LLNG_${key}__ substitution"
+          unless $self->{$key};
+        my $v =
+          ( ref $self->{$key} and ref $self->{$key} eq 'ARRAY' )
+          ? $self->{$key}
+          : [ $self->{$key} ];
+        $v = join "\n",
+          map { ref $_ ? () : qq'<TMPL_INCLUDE NAME="$_.tpl">' } @$v;
+        $res =~ s/__LLNG_${key}__/$v/gs;
+    }
+    return $res;
+}
+
+sub DESTROY {
+    my ($self) = @_;
+    $self->close() if ( ref($self) eq 'SCALAR' );
+}
+
+sub AUTOLOAD {
+    no strict;
+    my $self = shift;
+    $AUTOLOAD =~ s/^.*:://;
+    $AUTOLOAD = lc $AUTOLOAD;
+    return tied( ${$self} )->{_i}->$AUTOLOAD(@_);
+}
+
+1;
+__END__
+=head1 NAME
+
+Lemonldap::NG::Common::IO::Filter - IO::Handle filter
+
+=head1 SYNOPSIS
+
+  use HTML::Template;
+  my $fh = Lemonldap::NG::Common::IO::Filter->new(
+    'template.tpl',
+    {
+      # Replace all __LLNG_AUTH__ by:
+      # <TMPL_INCLUDE NAME="login.tpl">
+      AUTH => 'login',
+      # Replace all __LLNG_CODE__ by the result of the given function
+      CODE => sub {return "INCLUDED STRING"}
+    }
+  );
+  my $h = HTML::Template->new( filehandle => $fh );
+  print $h->output;
+
+Input:
+
+  <html><body>
+  __LLNG_AUTH__
+  <hr>
+  __LLNG_CODE__
+  </body></html>
+
+Output:
+
+  <html><body>
+  <TMPL_INCLUDE NAME="login.tpl">
+  <hr>
+  INCLUDED STRING
+  </body></html>
+
+Same but with a L<IO::Handle> file:
+
+  use HTML::Template;
+  my $file = IO::File->new('test.tpl');
+  my $fh = Lemonldap::NG::Common::IO::Filter->new_from_io(
+    $file,
+    {
+      # Replace all __LLNG_AUTH__ by:
+      # <TMPL_INCLUDE NAME="login.tpl">
+      AUTH => 'login',
+      # Replace all __LLNG_CODE__ by the result of the given function
+      CODE => sub {return "INCLUDED STRING"}
+    }
+  );
+  my $h = HTML::Template->new( filehandle => $fh );
+  print $h->output;
+
+Or with an array:
+
+  use HTML::Template;
+  my $fh = Lemonldap::NG::Common::IO::Filter->new_from_io(
+    'template.tpl',
+    {
+      # Replace all __LLNG_AUTH__ by:
+      # <TMPL_INCLUDE NAME="login.tpl"> <TMPL_INCLUDE NAME="login2.tpl">
+      AUTH => [ 'login', 'login2' ],
+    }
+  );
+  my $h = HTML::Template->new( filehandle => $fh );
+  print $h->output;
+
+=head1 DESCRIPTION
+
+IO::Handle filter used to transform HTML::Template files on the fly.
+
+=head1 AUTHORS
+
+=over
+
+=item LemonLDAP::NG team L<http://lemonldap-ng.org/team>
+
+=back
+
+=head1 BUG REPORT
+
+Use OW2 system to report bug or ask for features:
+L<https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/issues>
+
+=head1 DOWNLOAD
+
+Lemonldap::NG is available at
+L<http://forge.objectweb.org/project/showfiles.php?group_id=274>
+
+=head1 COPYRIGHT AND LICENSE
+
+See COPYING file for details.
+
+This library is free software; you can redistribute it and/or modify
+it under the terms of the GNU General Public License as published by
+the Free Software Foundation; either version 2, or (at your option)
+any later version.
+
+This program is distributed in the hope that it will be useful,
+but WITHOUT ANY WARRANTY; without even the implied warranty of
+MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+GNU General Public License for more details.
+
+You should have received a copy of the GNU General Public License
+along with this program.  If not, see L<http://www.gnu.org/licenses/>.
+
+=cut

lemonldap-ng-common/lib/Lemonldap/NG/Common/IPv6.pm

@@ -3,7 +3,7 @@ package Lemonldap::NG::Common::IPv6;
 use strict;
 use base 'Exporter';
 
-our $VERSION = '2.0.10';
+our $VERSION = '2.1.0';
 our @EXPORT = qw(&isIPv6 &net6 &expand6);
 
 sub isIPv6 {

lemonldap-ng-common/lib/Lemonldap/NG/Common/Logger/Apache2.pm

@@ -2,7 +2,7 @@ package Lemonldap::NG::Common::Logger::Apache2;
 
 use Apache2::ServerRec;
 
-our $VERSION = '2.0.0';
+our $VERSION = '2.1.0';
 
 sub new {
     return bless {}, shift;

lemonldap-ng-common/lib/Lemonldap/NG/Common/Logger/Dispatch.pm

@@ -2,7 +2,7 @@ package Lemonldap::NG::Common::Logger::Dispatch;
 
 use strict;
 
-our $VERSION = '2.0.0';
+our $VERSION = '2.1.0';
 
 sub new {
     no warnings 'redefine';

lemonldap-ng-common/lib/Lemonldap/NG/Common/Logger/Log4perl.pm

@@ -3,7 +3,7 @@ package Lemonldap::NG::Common::Logger::Log4perl;
 use strict;
 use Log::Log4perl;
 
-our $VERSION = '2.0.0';
+our $VERSION = '2.1.0';
 
 our $init = 0;
 

lemonldap-ng-common/lib/Lemonldap/NG/Common/Logger/Null.pm

@@ -1,6 +1,6 @@
 package Lemonldap::NG::Common::Logger::Null;
 
-our $VERSION = '2.0.0';
+our $VERSION = '2.1.0';
 
 sub new {
     return bless {}, shift;

lemonldap-ng-common/lib/Lemonldap/NG/Common/Logger/Sentry.pm

@@ -10,7 +10,7 @@ package Lemonldap::NG::Common::Logger::Sentry;
 use strict;
 use Sentry::Raven;
 
-our $VERSION = '2.0.0';
+our $VERSION = '2.1.0';
 
 sub new {
     my $self = bless {}, shift;

lemonldap-ng-common/lib/Lemonldap/NG/Common/Logger/Std.pm

@@ -2,7 +2,7 @@ package Lemonldap::NG::Common::Logger::Std;
 
 use strict;
 
-our $VERSION = '2.0.5';
+our $VERSION = '2.1.0';
 
 sub new {
     no warnings 'redefine';

lemonldap-ng-common/lib/Lemonldap/NG/Common/Logger/Syslog.pm

@@ -3,7 +3,7 @@ package Lemonldap::NG::Common::Logger::Syslog;
 use strict;
 use Sys::Syslog qw(:standard);
 
-our $VERSION = '2.0.9';
+our $VERSION = '2.1.0';
 
 sub new {
     my ( $class, $conf, %args ) = @_;

lemonldap-ng-common/lib/Lemonldap/NG/Common/Logger/_Duplicate.pm

@@ -2,7 +2,7 @@ package Lemonldap::NG::Common::Logger::_Duplicate;
 
 use strict;
 
-our $VERSION = '2.0.6';
+our $VERSION = '2.1.0';
 
 sub new {
     my $self = bless {}, shift;

lemonldap-ng-common/lib/Lemonldap/NG/Common/Module.pm

@@ -3,7 +3,7 @@ package Lemonldap::NG::Common::Module;
 use strict;
 use Mouse;
 
-our $VERSION = '2.0.0';
+our $VERSION = '2.1.0';
 
 # Object that provides loggers and error methods (typically PSGI object)
 has p => ( is => 'rw', weak_ref => 1 );

lemonldap-ng-common/lib/Lemonldap/NG/Common/Notifications.pm

@@ -4,7 +4,7 @@ use strict;
 use Mouse;
 use JSON qw(to_json);
 
-our $VERSION = '2.0.8';
+our $VERSION = '2.1.0';
 
 extends 'Lemonldap::NG::Common::Module';
 

lemonldap-ng-common/lib/Lemonldap/NG/Common/Notifications/DBI.pm

@@ -11,7 +11,7 @@ use Time::Local;
 use DBI;
 use Encode;
 
-our $VERSION = '2.0.8';
+our $VERSION = '2.1.0';
 
 extends 'Lemonldap::NG::Common::Notifications';
 

lemonldap-ng-common/lib/Lemonldap/NG/Common/Notifications/File.pm

@@ -10,7 +10,7 @@ use Mouse;
 use Time::Local;
 use MIME::Base64;
 
-our $VERSION = '2.0.8';
+our $VERSION = '2.1.0';
 
 extends 'Lemonldap::NG::Common::Notifications';
 

lemonldap-ng-common/lib/Lemonldap/NG/Common/Notifications/JSON.pm

@@ -4,7 +4,7 @@ use strict;
 use Mouse;
 use JSON qw(from_json to_json);
 
-our $VERSION = '2.0.8';
+our $VERSION = '2.1.0';
 
 sub newNotification {
     my ( $self, $jsonString, $defaultCond ) = @_;

lemonldap-ng-common/lib/Lemonldap/NG/Common/Notifications/LDAP.pm

@@ -13,7 +13,7 @@ use MIME::Base64 qw/encode_base64url/;
 use Net::LDAP;
 use utf8;
 
-our $VERSION = '2.0.8';
+our $VERSION = '2.1.0';
 
 extends 'Lemonldap::NG::Common::Notifications';
 

lemonldap-ng-common/lib/Lemonldap/NG/Common/Notifications/XML.pm

@@ -4,7 +4,7 @@ use strict;
 use Mouse;
 use XML::LibXML;
 
-our $VERSION = '2.0.10';
+our $VERSION = '2.1.0';
 
 # XML parser
 has parser => (

lemonldap-ng-common/lib/Lemonldap/NG/Common/PSGI.pm

@@ -3,10 +3,11 @@ package Lemonldap::NG::Common::PSGI;
 use strict;
 use Mouse;
 use JSON;
+use Lemonldap::NG::Common::IO::Filter;
 use Lemonldap::NG::Common::PSGI::Constants;
 use Lemonldap::NG::Common::PSGI::Request;
 
-our $VERSION = '2.0.10';
+our $VERSION = '2.1.0';
 
 our $_json = JSON->new->allow_nonref;
 
@@ -276,14 +277,23 @@ sub sendHtml {
     $args{code}    ||= 200;
     $args{headers} ||= [ $req->spliceHdrs ];
     my $htpl;
-    $template = ( $args{templateDir} // $self->templateDir ) . "/$template.tpl";
-    return $self->sendError( $req, "Unable to read $template", 500 )
-      unless ( -r $template and -f $template );
-    eval {
+
+    unless ( ref $template ) {
+        $template =
+          ( $args{templateDir} // $self->templateDir ) . "/$template.tpl";
+        return $self->sendError( $req, "Unable to read $template", 500 )
+          unless ( -r $template and -f $template );
         $self->logger->debug("Starting HTML generation using $template");
+    }
+    eval {
         require HTML::Template;
+        my $io =
+          $args{filter}
+          ? Lemonldap::NG::Common::IO::Filter->new( $template, $args{filter} )
+          : ref $template ? $template
+          :                 IO::File->new($template);
         $htpl = HTML::Template->new(
-            filehandle             => IO::File->new($template),
+            filehandle             => $io,
             path                   => $self->templateDir,
             search_path_on_include => 1,
             die_on_bad_params      => 0,
@@ -305,6 +315,7 @@ sub sendHtml {
                 ? %{ $args{params} }
                 : ()
             ),
+            %{ $req->{tplParams} },
         );
     };
     if ($@) {

lemonldap-ng-common/lib/Lemonldap/NG/Common/PSGI/Cli/Lib.pm

@@ -5,7 +5,7 @@ use JSON;
 use Mouse;
 use Lemonldap::NG::Common::PSGI;
 
-our $VERSION = '2.0.10';
+our $VERSION = '2.1.0';
 
 has iniFile => ( is => 'ro', isa => 'Str' );
 

lemonldap-ng-common/lib/Lemonldap/NG/Common/PSGI/Constants.pm

@@ -4,7 +4,7 @@ use strict;
 use Exporter 'import';
 
 use base qw(Exporter);
-our $VERSION = '2.0.0';
+our $VERSION = '2.1.0';
 
 # CONSTANTS
 

lemonldap-ng-common/lib/Lemonldap/NG/Common/PSGI/Request.pm

@@ -6,7 +6,7 @@ use JSON;
 use Plack::Request;
 use URI::Escape;
 
-our $VERSION = '2.0.10';
+our $VERSION = '2.1.0';
 
 our @ISA = ('Plack::Request');
 
@@ -35,11 +35,14 @@ sub new {
     $self->{data}        = {};
     $self->{error}       = 0;
     $self->{respHeaders} = [];
+    $self->{tplParams}   = {};
     return bless( $self, $_[0] );
 }
 
 sub data { $_[0]->{data} }
 
+sub tplParams { $_[0]->{tplParams} }
+
 sub uri { $_[0]->{uri} }
 
 sub userData {

lemonldap-ng-common/lib/Lemonldap/NG/Common/PSGI/Router.pm

@@ -5,7 +5,7 @@ use Mouse;
 use Lemonldap::NG::Common::PSGI;
 use Lemonldap::NG::Common::PSGI::Constants;
 
-our $VERSION = '2.0.10';
+our $VERSION = '2.1.0';
 
 extends 'Lemonldap::NG::Common::PSGI';
 

lemonldap-ng-common/lib/Lemonldap/NG/Common/PSGI/SOAPServer.pm

@@ -8,7 +8,7 @@ use SOAP::Transport::HTTP;
 
 our @ISA = ('SOAP::Transport::HTTP::Server');
 
-our $VERSION = '2.0.0';
+our $VERSION = '2.1.0';
 
 # Call SOAP::Trace::objects().
 sub DESTROY { SOAP::Trace::objects('()') }