Commit 79daebec authored by Xavier Guimard's avatar Xavier Guimard

Apply some master changes

parent 73a17881
......@@ -23,7 +23,7 @@ use constant HANDLERSECTION => "handler";
use constant MANAGERSECTION => "manager";
use constant SESSIONSEXPLORERSECTION => "sessionsExplorer";
use constant APPLYSECTION => "apply";
our $hashParameters = qr/^(?:(?:l(?:o(?:ca(?:lSessionStorageOption|tionRule)|goutService)|dapExportedVar|wp(?:Ssl)?Opt)|(?:(?:d(?:emo|bi)|facebook|webID)ExportedVa|exported(?:Heade|Va)|issuerDBGetParamete)r|g(?:r(?:antSessionRule|oup)|lobalStorageOption)|n(?:otificationStorageOption|ginxCustomHandler)|re(?:moteGlobalStorageOption|loadUrl)|macro)s|o(?:idc(?:RPMetaData(?:(?:Option(?:sExtraClaim)?|ExportedVar)s|Node)|OPMetaData(?:(?:ExportedVar|Option)s|J(?:SON|WKS)|Node)|S(?:erviceMetaDataAuthnContext|torageOptions))|penIdExportedVars)|s(?:aml(?:S(?:PMetaData(?:(?:ExportedAttribute|Option)s|Node|XML)|torageOptions)|IDPMetaData(?:(?:ExportedAttribute|Option)s|Node|XML))|essionDataToRemember|laveExportedVars)|c(?:as(?:S(?:rvMetaData(?:(?:ExportedVar|Option)s|Node)|torageOptions)|A(?:ppMetaData(?:(?:ExportedVar|Option)s|Node)|ttributes))|(?:ustomAddParam|ombModule)s)|p(?:ersistentStorageOptions|o(?:rtalSkinRules|st))|a(?:ut(?:hChoiceMod|oSigninR)ules|pplicationList)|v(?:hostOptions|irtualHost)|S(?:MTPTLSOpts|SLVarIf))$/;
our $hashParameters = qr/^(?:(?:l(?:o(?:ca(?:lSessionStorageOption|tionRule)|goutService)|dapExportedVar|wp(?:Ssl)?Opt)|(?:(?:d(?:emo|bi)|facebook|webID)ExportedVa|exported(?:Heade|Va)|issuerDBGetParamete)r|re(?:moteGlobalStorageOption|st2f(?:Verify|Init)Arg|loadUrl)|g(?:r(?:antSessionRule|oup)|lobalStorageOption)|n(?:otificationStorageOption|ginxCustomHandler)|macro)s|o(?:idc(?:RPMetaData(?:(?:Option(?:sExtraClaim)?|ExportedVar)s|Node)|OPMetaData(?:(?:ExportedVar|Option)s|J(?:SON|WKS)|Node)|S(?:erviceMetaDataAuthnContext|torageOptions))|penIdExportedVars)|s(?:aml(?:S(?:PMetaData(?:(?:ExportedAttribute|Option)s|Node|XML)|torageOptions)|IDPMetaData(?:(?:ExportedAttribute|Option)s|Node|XML))|essionDataToRemember|laveExportedVars)|c(?:as(?:S(?:rvMetaData(?:(?:ExportedVar|Option)s|Node)|torageOptions)|A(?:ppMetaData(?:(?:ExportedVar|Option)s|Node)|ttributes))|(?:ustomAddParam|ombModule)s)|p(?:ersistentStorageOptions|o(?:rtalSkinRules|st))|a(?:ut(?:hChoiceMod|oSigninR)ules|pplicationList)|v(?:hostOptions|irtualHost)|S(?:MTPTLSOpts|SLVarIf))$/;
our @sessionTypes = ( 'remoteGlobal', 'global', 'localSession', 'persistent', 'saml', 'oidc', 'cas' );
......
......@@ -185,7 +185,8 @@ sub defaultValues {
'http://auth.example.com/Lemonldap/NG/Common/PSGI/SOAPService',
'proxy' => 'http://auth.example.com/sessions'
},
'requireToken' => 1,
'requireToken' => 1,
'rest2fActivation' => 0,
'samlAttributeAuthorityDescriptorAttributeServiceSOAP' =>
'urn:oasis:names:tc:SAML:2.0:bindings:SOAP;#PORTAL#/saml/AA/SOAP;',
'samlAuthnContextMapKerberos' => 4,
......
......@@ -22,7 +22,7 @@ our $specialNodeHash = {
};
our $doubleHashKeys = 'issuerDBGetParameters';
our $simpleHashKeys = '(?:(?:l(?:o(?:calSessionStorageOption|goutService)|dapExportedVar|wp(?:Ssl)?Opt)|c(?:as(?:StorageOption|Attribute)|ustomAddParam|ombModule)|(?:(?:d(?:emo|bi)|facebook|webID)E|e)xportedVar|g(?:r(?:antSessionRule|oup)|lobalStorageOption)|n(?:otificationStorageOption|ginxCustomHandler)|p(?:ersistentStorageOption|ortalSkinRule)|re(?:moteGlobalStorageOption|loadUrl)|macro)s|o(?:idcS(?:erviceMetaDataAuthnContext|torageOptions)|penIdExportedVars)|s(?:(?:amlStorageOption|laveExportedVar)s|essionDataToRemember)|a(?:ut(?:hChoiceMod|oSigninR)ules|pplicationList)|S(?:MTPTLSOpts|SLVarIf))';
our $simpleHashKeys = '(?:(?:l(?:o(?:calSessionStorageOption|goutService)|dapExportedVar|wp(?:Ssl)?Opt)|re(?:moteGlobalStorageOption|st2f(?:Verify|Init)Arg|loadUrl)|c(?:as(?:StorageOption|Attribute)|ustomAddParam|ombModule)|(?:(?:d(?:emo|bi)|facebook|webID)E|e)xportedVar|g(?:r(?:antSessionRule|oup)|lobalStorageOption)|n(?:otificationStorageOption|ginxCustomHandler)|p(?:ersistentStorageOption|ortalSkinRule)|macro)s|o(?:idcS(?:erviceMetaDataAuthnContext|torageOptions)|penIdExportedVars)|s(?:(?:amlStorageOption|laveExportedVar)s|essionDataToRemember)|a(?:ut(?:hChoiceMod|oSigninR)ules|pplicationList)|S(?:MTPTLSOpts|SLVarIf))';
our $specialNodeKeys = '(?:(?:(?:saml(?:ID|S)|oidc[OR])P|cas(?:App|Srv))MetaDataNode|virtualHost)s';
our $casAppMetaDataNodeKeys = 'casAppMetaData(?:Options(?:Servic|Rul)e|ExportedVars)';
our $casSrvMetaDataNodeKeys = 'casSrvMetaData(?:Options(?:ProxiedServices|DisplayName|Gateway|Renew|Icon|Url)|ExportedVars)';
......
......@@ -2355,6 +2355,33 @@ qr/(?:(?:https?):\/\/(?:(?:(?:(?:(?:(?:[a-zA-Z0-9][-a-zA-Z0-9]*)?[a-zA-Z0-9])[.]
'default' => 1,
'type' => 'bool'
},
'rest2fActivation' => {
'default' => 0,
'type' => 'boolOrExpr'
},
'rest2fAuthnLevel' => {
'type' => 'int'
},
'rest2fInitArgs' => {
'keyMsgFail' => '__badKeyName__',
'keyTest' => qr/^\w+$/,
'msgFail' => '__badValue__',
'test' => qr/^\w+$/,
'type' => 'keyTextContainer'
},
'rest2fInitUrl' => {
'type' => 'url'
},
'rest2fVerifyArgs' => {
'type' => 'keyTextContainer'
},
'rest2fVerifyUrl' => {
'keyMsgFail' => '__badKeyName__',
'keyTest' => qr/^\w+$/,
'msgFail' => '__badValue__',
'test' => qr/^\w+$/,
'type' => 'url'
},
'restAuthUrl' => {
'type' => 'url'
},
......
package Lemonldap::NG::Portal::2F::REST;
use strict;
use Mouse;
use Lemonldap::NG::Portal::Main::Constants qw(
PE_BADCREDENTIALS
PE_ERROR
PE_FORMEMPTY
PE_OK
PE_SENDRESPONSE
);
our $VERSION = '2.0.0';
extends 'Lemonldap::NG::Portal::Main::SecondFactor',
'Lemonldap::NG::Portal::Lib::REST';
# INITIALIZATION
has prefix => ( is => 'ro', default => 'ext' );
has initAttrs => ( is => 'ro', default => sub { {} } );
has vrfyAttrs => ( is => 'ro', default => sub { {} } );
sub init {
my ($self) = @_;
unless ( $self->conf->{rest2fVerifyUrl} ) {
$self->logger->error('Missing REST verification URL');
return 0;
}
foreach my $k ( keys %{ $self->conf->{rest2fInitArgs} } ) {
my $attr = $self->conf->{rest2fInitArgs}->{$k};
$attr =~ s/^$//;
unless ( $attr =~ /^\w+$/ ) {
$self->logger->error(
"2F REST: $k key must point to a single attribute or macro");
return 0;
}
$self->initAttrs->{$k} = $attr;
}
foreach my $k ( keys %{ $self->conf->{rest2fVerifyArgs} } ) {
my $attr = $self->conf->{rest2fVerifyArgs}->{$k};
$attr =~ s/^$//;
unless ( $attr =~ /^\w+$/ ) {
$self->logger->error(
"2F REST: $k key must point to a single attribute or macro");
return 0;
}
$self->vrfyAttrs->{$k} = $attr;
}
return 1;
}
sub run {
my ( $self, $req, $token ) = @_;
if ( $self->conf->{rest2fInitUrl} ) {
# Prepare args
my $args;
foreach my $k ( keys %{ $self->{initAttrs} } ) {
$args->{$k} = $req->sessionInfo->{ $self->{initAttrs}->{$k} };
}
# Launch REST request
$self->logger->debug('Call REST init URL');
my $res =
eval { $self->restCall( $self->conf->{rest2fInitUrl}, $args ); };
if ($@) {
$self->logger->error("REST 2F error: $@");
return PE_ERROR;
}
unless ( $res->{result} ) {
$self->logger->error("REST 2F initialization has failed");
return PE_ERROR;
}
}
else {
$self->logger->debug('No init URL, skipping initialization');
}
# Prepare form
my $tmp = $self->p->sendHtml(
$req,
'ext2fcheck',
params => {
SKIN => $self->conf->{portalSkin},
TOKEN => $token
}
);
$self->logger->debug("Prepare external REST verification");
$req->response($tmp);
return PE_SENDRESPONSE;
}
sub verify {
my ( $self, $req, $session ) = @_;
my $code;
unless ( $code = $req->param('code') ) {
$self->userLogger->error('External REST 2F: no code');
return PE_FORMEMPTY;
}
# Prepare args
my $args;
foreach my $k ( keys %{ $self->{vrfyAttrs} } ) {
$args->{$k} =
( $k eq 'code'
? $code
: $req->sessionInfo->{ $self->{vrfyAttrs}->{$k} } );
}
# Launch REST request
$self->logger->debug('Call REST vrfy URL');
my $res =
eval { $self->restCall( $self->conf->{rest2fVerifyUrl}, $args ); };
if ($@) {
$self->logger->error("REST 2F error: $@");
return PE_ERROR;
}
# Result
unless ( $res->{result} ) {
$self->userLogger->warn( 'REST Second factor failed for '
. $session->{ $self->conf->{whatToTrace} } );
return PE_BADCREDENTIALS;
}
PE_OK;
}
1;
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment