Merge branch 'v2.0' into 2683

doc/sources/admin/idpcas.rst

@@ -71,6 +71,10 @@ Then go in ``CAS Service`` to define:
    matching. By default, LemonLDAP::NG will try to find a declared CAS
    Application matching the hostname of the requested application if it cannot
    find a match using the full path. See :ref:`idpcas-url-matching` for details
+-  **Temporary ticket lifetime**: (since *2.0.14*): restricts how long Service
+   and Proxy tickets are valid after being generated. For compatibility, the
+   default value of ``0`` means they are valid for the entire session duration.
+   But the CAS spefications recommends ``300`` (5 minutes).
 
 
 .. tip::

doc/sources/admin/parameterlist.rst

@@ -62,6 +62,7 @@ casSrvMetaDataOptions                                   Root of CAS server optio
 casStorage                                              Apache::Session module to store CAS user data                                        ✔
 casStorageOptions                                       Apache::Session module parameters                                                    ✔
 casStrictMatching                                       Disable host-based matching of CAS services                                          ✔
+casTicketExpiration                                     CAS Service and Proxy tickets TTL                                                    ✔
 cda                                                     Enable Cross Domain Authentication                                                   ✔      ✔
 certificateResetByMailCeaAttribute                                                                                                           ✔
 certificateResetByMailCertificateAttribute                                                                                                   ✔

doc/sources/admin/restsessionbackend.rst

@@ -4,12 +4,11 @@ REST session backend
 Session <type> can be 'global' for SSO sessions or 'persistent' for
 persistent sessions.
 
-LL::NG portal provides REST end points for sessions management:
+LL::NG Portal provides REST end points for sessions management:
 
 -  GET /sessions/<type>/<session-id> : get session datas
 -  GET /sessions/<type>/<session-id>/<key> : get a session key value
--  GET /sessions/<type>/<session-id>/[k1,k2] : get some session key
-   value
+-  GET /sessions/<type>/<session-id>/[k1,k2] : get some keys value
 -  POST /sessions/<type> : create a session
 -  PUT /sessions/<type>/<session-id> : update some keys
 -  DELETE /sessions/<type>/<session-id> : delete a session
@@ -20,17 +19,21 @@ Sessions for connected users (used by :doc:`LLNG Proxy<authproxy>`):
 -  GET /session/my/<type>/key : get session key
 -  DELETE /session/my : ask for logout
 
-Authorizations for connected users (always enabled):
+Services for connected users (always enabled):
 
--  GET /mysession/?authorizationfor=<base64-encoded-url>: ask if url is
-   authorizated
+-  GET /mysession/?authorizationfor=<base64-encoded-url> : ask if an url
+   is authorized
+-  GET /mysession/?whoami       : get "my" uid
+-  PUT /mysession/<type>        : update some persistent data (restricted)
+-  DELETE /mysession/<type>/key : delete key in data (restricted)
+-  GET    /myapplications       : get "my" appplications list
 
 This session backend can be used to share sessions stored in a
 non-network backend (like
 :doc:`file session backend<filesessionbackend>`) or in a network backend
 protected with a firewall that only accepts HTTP flows.
 
-Most of the time, REST session backend is used by Handlers installed on
+Most of the time, REST session backend is used by Handlers deployed on
 external servers.
 
 To configure it, REST session backend will be set through Manager in
@@ -69,16 +72,16 @@ Name                Comment                                  Example
 =================== ======================================== ==================================================
 
 `user` and `password` parameters are only used if the entry point `index.fcgi/sessions/global`
-is protected by a basic authentication. Thus, handlers will make requests to the portal
+is protected by a basic authentication. Thus, handlers will make requests to the Portal
 using these parameters.
 
 
 .. attention::
 
     By default, user password and other secret keys are
-    hidden by LLNG REST server. You can force REST server to export their
+    hidden by LL::NG REST server. You can force REST server to export their
     real values by selecting "Export secret attributes in REST" in the
-    manager. This less secure option is disabled by default.
+    Manager. This less secure option is disabled by default.
 
 Apache
 ~~~~~~

doc/sources/admin/upgrade_2_0_x.rst

@@ -29,6 +29,57 @@ None
 2.0.14
 ------
 
+Security
+~~~~~~~~
+
+* **CVE-2021-40874**: RESTServer pwdConfirm always returns true with Combination + Kerberos (see `issue 2612 <https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/2612>`__)
+
+Weak encryption used for password-protected SAML keys
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+Previous versions of LemonLDAP::NG used a weak encryption algorithm to protect
+SAML keys when a password was set during certificate generation.
+
+Run the following command to check if this is your case::
+
+    lemonldap-ng-cli get samlServicePrivateKeySig
+    lemonldap-ng-cli get samlServicePrivateKeyEnc
+
+If the output of either command starts with ``BEGIN ENCRYPTED PRIVATE KEY``,
+then it probably means you generated your keys using the vulnerable manager
+code.
+
+In this case, you can convert your existing keys to a stronger encryption using
+the following command ::
+
+    # Extract your existing keys. If samlServicePrivateKeyEnc is empty, you can
+    # skip it entirely
+    lemonldap-ng-cli get samlServicePrivateKeySig | \
+        sed 's/samlServicePrivateKeySig = //' > saml-sig.pem
+    lemonldap-ng-cli get samlServicePrivateKeyEnc | \
+        sed 's/samlServicePrivateKeyEnc = //' > saml-enc.pem
+
+    # Re-encrypt the private key, using the same passphrase
+    openssl pkey -in saml-sig.pem -aes256 -out saml-sig-aes.pem
+    openssl pkey -in saml-enc.pem -aes256 -out saml-enc-aes.pem
+
+    #Or, if you are using OpenSSL 3+
+    openssl pkey -provider legacy -provider default -in saml-sig.pem \
+        -aes256 -out saml-sig-aes.pem
+    openssl pkey -provider legacy -provider default -in saml-enc.pem \
+        -aes256 -out saml-enc-aes.pem
+
+Then, simply reimport your keys ::
+
+    lemonldap-ng-cli set samlServicePrivateKeySig "$(cat saml-sig-aes.pem)"
+    lemonldap-ng-cli set samlServicePrivateKeyEnc "$(cat saml-enc-aes.pem)"
+
+If is recommended to keep the same password as before, if not, adjust the
+``samlServicePrivateKeySigPwd`` and ``samlServicePrivateKeyEncPwd`` variables as well.
+
+This operation is transparent and does not require any change to your existing
+SAML configuration or SAML applications
+
 LemonLDAP::NG version is returned by the CheckState plugin
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 

lemonldap-ng-common/lib/Lemonldap/NG/Common/Conf/DefaultValues.pm

@@ -29,6 +29,7 @@ sub defaultValues {
         'captcha_size'                       => 6,
         'casAccessControlPolicy'             => 'none',
         'casAuthnLevel'                      => 1,
+        'casTicketExpiration'                => 0,
         'certificateResetByMailCeaAttribute' => 'description',
         'certificateResetByMailCertificateAttribute' =>
           'userCertificate;binary',

lemonldap-ng-manager/lib/Lemonldap/NG/Manager/Attributes.pm

@@ -815,6 +815,10 @@ qr/(?:(?:https?):\/\/(?:(?:(?:(?:(?:(?:[a-zA-Z0-9][-a-zA-Z0-9]*)?[a-zA-Z0-9])[.]
             'default' => 0,
             'type'    => 'bool'
         },
+        'casTicketExpiration' => {
+            'default' => 0,
+            'type'    => 'int'
+        },
         'cda' => {
             'default' => 0,
             'type'    => 'bool'

lemonldap-ng-manager/lib/Lemonldap/NG/Manager/Build/Attributes.pm

@@ -2489,6 +2489,11 @@ sub attributes {
             type          => 'bool',
             documentation => 'Disable host-based matching of CAS services',
         },
+        casTicketExpiration => {
+            default       => 0,
+            type          => 'int',
+            documentation => 'Expiration time of Service and Proxy tickets',
+        },
         issuerDBCASActivation => {
             default       => 0,
             type          => 'bool',

lemonldap-ng-manager/lib/Lemonldap/NG/Manager/Build/Tree.pm

@@ -1393,6 +1393,7 @@ sub tree {
                 'casStorageOptions',
                 'casAttributes',
                 'casStrictMatching',
+                'casTicketExpiration',
 
             ]
         },

lemonldap-ng-manager/lib/Lemonldap/NG/Manager/Conf.pm

@@ -212,7 +212,10 @@ sub _generateX509 {
     my $strCert = Net::SSLeay::PEM_get_string_X509($cert);
     my $strPrivate;
     if ($password) {
-        $strPrivate = Net::SSLeay::PEM_get_string_PrivateKey( $key, $password );
+        my $alg = Net::SSLeay::EVP_get_cipherbyname("AES-256-CBC")
+          || Net::SSLeay::EVP_get_cipherbyname("DES-EDE3-CBC");
+        $strPrivate =
+          Net::SSLeay::PEM_get_string_PrivateKey( $key, $password, $alg );
     }
     else {
         $strPrivate = Net::SSLeay::PEM_get_string_PrivateKey($key);

lemonldap-ng-manager/lib/Lemonldap/NG/Manager/Conf/Tests.pm

@@ -44,10 +44,14 @@ sub tests {
 
         # Check if portal URL is well formated
         portalURL => sub {
+            my $url = $conf->{portal};
+
+            # Append or remove trailing slashes
+            $conf->{portal} =~ s%/*$%/%;
             return (
                 1,
                 (
-                    ( $conf->{portal} =~ m%/$% )
+                    ( $url =~ m%/$% )
                     ? ''
                     : "Portal URL should end with a /"
                 )

lemonldap-ng-manager/site/htdocs/static/languages/ar.json

@@ -167,6 +167,7 @@
 "casStorage":"اسم وحدة جلسات كاس",
 "casStorageOptions":" خيارات وحدة جلسات كاس",
 "casStrictMatching":"Use strict URL matching",
+"casTicketExpiration":"Temporary ticket lifetime",
 "categoryName":"اسم الفئة",
 "cda":"نطاقات متعددة",
 "certificateMailContent":"محتوى البريد",
@@ -1230,4 +1231,4 @@
 "yubikey2fUrl":"خدمة أل يو أر ل",
 "yubikey2fUserCanRemoveKey":"Allow user to remove Yubikey",
 "zeroConfExplanations":"لا يحتوي الخادم على إعدادات. استخدام قالب لحفظ الأول"
-}
\ No newline at end of file
+}

lemonldap-ng-manager/site/htdocs/static/languages/de.json

@@ -167,6 +167,7 @@
 "casStorage":"CAS sessions module name",
 "casStorageOptions":"CAS sessions module options",
 "casStrictMatching":"Use strict URL matching",
+"casTicketExpiration":"Temporary ticket lifetime",
 "categoryName":"Category name",
 "cda":"Mehrere Domains",
 "certificateMailContent":"Mail content",
@@ -1230,4 +1231,4 @@
 "yubikey2fUrl":"Service URL",
 "yubikey2fUserCanRemoveKey":"Allow user to remove Yubikey",
 "zeroConfExplanations":"Server has no configuration. Use template to save the first."
-}
\ No newline at end of file
+}

lemonldap-ng-manager/site/htdocs/static/languages/en.json

@@ -167,6 +167,7 @@
 "casStorage":"CAS sessions module name",
 "casStorageOptions":"CAS sessions module options",
 "casStrictMatching":"Use strict URL matching",
+"casTicketExpiration":"Temporary ticket lifetime",
 "categoryName":"Category name",
 "cda":"Multiple domains",
 "certificateMailContent":"Mail content",

lemonldap-ng-manager/site/htdocs/static/languages/es.json

@@ -167,6 +167,7 @@
 "casStorage":"CAS sessions module name",
 "casStorageOptions":"CAS sessions module options",
 "casStrictMatching":"Use strict URL matching",
+"casTicketExpiration":"Temporary ticket lifetime",
 "categoryName":"Nombre de categoría",
 "cda":"Dominios múltiples",
 "certificateMailContent":"Contenido de correo",
@@ -1230,4 +1231,4 @@
 "yubikey2fUrl":"Service URL",
 "yubikey2fUserCanRemoveKey":"Allow user to remove Yubikey",
 "zeroConfExplanations":"Server has no configuration. Use template to save the first."
-}
\ No newline at end of file
+}

lemonldap-ng-manager/site/htdocs/static/languages/fr.json

@@ -167,6 +167,7 @@
 "casStorage":"Nom du module des sessions CAS",
 "casStorageOptions":"Options du module des sessions CAS",
 "casStrictMatching":"Filtrage strict des URL",
+"casTicketExpiration":"Expiration des tickets temporaires",
 "categoryName":"Nom de la catégorie",
 "cda":"Domaines multiples",
 "certificateMailContent":"Contenu du mail",

lemonldap-ng-manager/site/htdocs/static/languages/it.json

@@ -167,6 +167,7 @@
 "casStorage":"Nome del modulo sessioni CAS",
 "casStorageOptions":"Opzioni del modulo sessioni CAS",
 "casStrictMatching":"Use strict URL matching",
+"casTicketExpiration":"Temporary ticket lifetime",
 "categoryName":"Nome della categoria",
 "cda":"Domini multipli",
 "certificateMailContent":"Contenuto della mail",
@@ -1230,4 +1231,4 @@
 "yubikey2fUrl":"URL del servizio",
 "yubikey2fUserCanRemoveKey":"Autorizza l'utente a rimuovere la Yubikey",
 "zeroConfExplanations":"Il server non ha alcuna configurazione. Utilizza il modello per salvare il primo."
-}
\ No newline at end of file
+}

lemonldap-ng-manager/site/htdocs/static/languages/pl.json

@@ -167,6 +167,7 @@
 "casStorage":"Nazwa modułu sesji CAS",
 "casStorageOptions":"Opcje modułu sesji CAS",
 "casStrictMatching":"Use strict URL matching",
+"casTicketExpiration":"Temporary ticket lifetime",
 "categoryName":"Nazwa Kategorii",
 "cda":"Wiele domen",
 "certificateMailContent":"Treść wiadomości",
@@ -1230,4 +1231,4 @@
 "yubikey2fUrl":"URL usługi",
 "yubikey2fUserCanRemoveKey":"Pozwól użytkownikowi usunąć Yubikey",
 "zeroConfExplanations":"Serwer nie ma konfiguracji. Użyj szablonu, aby zapisać pierwszy."
-}
\ No newline at end of file
+}

lemonldap-ng-manager/site/htdocs/static/languages/tr.json

@@ -167,6 +167,7 @@
 "casStorage":"CAS oturumları modül adı",
 "casStorageOptions":"CAS oturumları modül seçenekleri",
 "casStrictMatching":"Katı URL eşleşmesi kullan",
+"casTicketExpiration":"Temporary ticket lifetime",
 "categoryName":"Kategori ismi",
 "cda":"Çoklu alan adları",
 "certificateMailContent":"E-posta içeriği",
@@ -1230,4 +1231,4 @@
 "yubikey2fUrl":"Servis URL'si",
 "yubikey2fUserCanRemoveKey":"Yubikey'i kaldırmak için kullanıcıya izin ver",
 "zeroConfExplanations":"Sunucunun yapılandırması yok. Şimdi bir tane kaydetmek için şablonu kullanın."
-}
\ No newline at end of file
+}

lemonldap-ng-manager/site/htdocs/static/languages/vi.json

@@ -167,6 +167,7 @@
 "casStorage":"Tên mô-đun phiên CAS",
 "casStorageOptions":"Các tùy chọn mô-đun phiên CAS",
 "casStrictMatching":"Use strict URL matching",
+"casTicketExpiration":"Temporary ticket lifetime",
 "categoryName":"Tên thể loại",
 "cda":"Nhiều tên miền",
 "certificateMailContent":"Nội dung thư",
@@ -1230,4 +1231,4 @@
 "yubikey2fUrl":"Dịch vụ URL",
 "yubikey2fUserCanRemoveKey":"Allow user to remove Yubikey",
 "zeroConfExplanations":"Máy chủ không có cấu hình. Sử dụng mẫu để lưu đầu tiên. "
-}
\ No newline at end of file
+}

lemonldap-ng-manager/site/htdocs/static/languages/zh.json

@@ -167,6 +167,7 @@
 "casStorage":"CAS 会话模块名称",
 "casStorageOptions":"CAS 会话模块选项",
 "casStrictMatching":"Use strict URL matching",
+"casTicketExpiration":"Temporary ticket lifetime",
 "categoryName":"分类名称",
 "cda":"Multiple domains",
 "certificateMailContent":"Mail content",
@@ -1230,4 +1231,4 @@
 "yubikey2fUrl":"Service URL",
 "yubikey2fUserCanRemoveKey":"Allow user to remove Yubikey",
 "zeroConfExplanations":"Server has no configuration. Use template to save the first."
-}
\ No newline at end of file
+}