Commit 7be46884 authored by Xavier Guimard's avatar Xavier Guimard

Add conditional SSLVar (closes: #803)

parent 3a4eb388
......@@ -23,7 +23,7 @@ use constant HANDLERSECTION => "handler";
use constant MANAGERSECTION => "manager";
use constant SESSIONSEXPLORERSECTION => "sessionsExplorer";
use constant APPLYSECTION => "apply";
our $hashParameters = qr/^(?:(?:l(?:o(?:ca(?:lSessionStorageOption|tionRule)|goutService)|dapExportedVar|wp(?:Ssl)?Opt)|(?:(?:d(?:emo|bi)|facebook|webID)ExportedVa|exported(?:Heade|Va))r|g(?:r(?:antSessionRule|oup)|lobalStorageOption)|n(?:otificationStorageOption|ginxCustomHandler)|c(?:as(?:StorageOption|Attribute)|ombModule)|re(?:moteGlobalStorageOption|loadUrl)|CAS_proxiedService|macro)s|o(?:idc(?:RPMetaData(?:(?:Option(?:sExtraClaim)?|ExportedVar)s|Node)|OPMetaData(?:(?:ExportedVar|Option)s|J(?:SON|WKS)|Node)|S(?:erviceMetaDataAuthnContext|torageOptions))|penIdExportedVars)|s(?:aml(?:S(?:PMetaData(?:(?:ExportedAttribute|Option)s|Node|XML)|torageOptions)|IDPMetaData(?:(?:ExportedAttribute|Option)s|Node|XML))|essionDataToRemember|laveExportedVars)|p(?:ersistentStorageOptions|o(?:rtalSkinRules|st))|a(?:uthChoiceModules|pplicationList)|v(?:hostOptions|irtualHost))$/;
our $hashParameters = qr/^(?:(?:l(?:o(?:ca(?:lSessionStorageOption|tionRule)|goutService)|dapExportedVar|wp(?:Ssl)?Opt)|(?:(?:d(?:emo|bi)|facebook|webID)ExportedVa|exported(?:Heade|Va))r|g(?:r(?:antSessionRule|oup)|lobalStorageOption)|n(?:otificationStorageOption|ginxCustomHandler)|c(?:as(?:StorageOption|Attribute)|ombModule)|re(?:moteGlobalStorageOption|loadUrl)|CAS_proxiedService|macro)s|o(?:idc(?:RPMetaData(?:(?:Option(?:sExtraClaim)?|ExportedVar)s|Node)|OPMetaData(?:(?:ExportedVar|Option)s|J(?:SON|WKS)|Node)|S(?:erviceMetaDataAuthnContext|torageOptions))|penIdExportedVars)|s(?:aml(?:S(?:PMetaData(?:(?:ExportedAttribute|Option)s|Node|XML)|torageOptions)|IDPMetaData(?:(?:ExportedAttribute|Option)s|Node|XML))|essionDataToRemember|laveExportedVars)|p(?:ersistentStorageOptions|o(?:rtalSkinRules|st))|a(?:uthChoiceModules|pplicationList)|v(?:hostOptions|irtualHost)|SSLVarIf)$/;
our @sessionTypes = ( 'remoteGlobal', 'cas', 'global', 'localSession', 'persistent', 'saml', 'oidc' );
......
......@@ -20,7 +20,7 @@ our $specialNodeHash = {
};
our $doubleHashKeys = 'issuerDBGetParameters';
our $simpleHashKeys = '(?:(?:l(?:o(?:calSessionStorageOption|goutService)|dapExportedVar|wp(?:Ssl)?Opt)|(?:(?:d(?:emo|bi)|facebook|webID)E|e)xportedVar|g(?:r(?:antSessionRule|oup)|lobalStorageOption)|n(?:otificationStorageOption|ginxCustomHandler)|c(?:as(?:StorageOption|Attribute)|ombModule)|p(?:ersistentStorageOption|ortalSkinRule)|re(?:moteGlobalStorageOption|loadUrl)|CAS_proxiedService|macro)s|o(?:idcS(?:erviceMetaDataAuthnContext|torageOptions)|penIdExportedVars)|s(?:(?:amlStorageOption|laveExportedVar)s|essionDataToRemember)|a(?:uthChoiceModules|pplicationList))';
our $simpleHashKeys = '(?:(?:l(?:o(?:calSessionStorageOption|goutService)|dapExportedVar|wp(?:Ssl)?Opt)|(?:(?:d(?:emo|bi)|facebook|webID)E|e)xportedVar|g(?:r(?:antSessionRule|oup)|lobalStorageOption)|n(?:otificationStorageOption|ginxCustomHandler)|c(?:as(?:StorageOption|Attribute)|ombModule)|p(?:ersistentStorageOption|ortalSkinRule)|re(?:moteGlobalStorageOption|loadUrl)|CAS_proxiedService|macro)s|o(?:idcS(?:erviceMetaDataAuthnContext|torageOptions)|penIdExportedVars)|s(?:(?:amlStorageOption|laveExportedVar)s|essionDataToRemember)|a(?:uthChoiceModules|pplicationList)|SSLVarIf)';
our $specialNodeKeys = '(?:(?:saml(?:ID|S)|oidc[OR])PMetaDataNode|virtualHost)s';
our $oidcOPMetaDataNodeKeys = 'oidcOPMetaData(?:Options(?:C(?:lient(?:Secret|ID)|heckJWTSignature|onfigurationURI)|TokenEndpointAuthMethod|(?:JWKSTimeou|Promp)t|I(?:DTokenMaxAge|con)|S(?:toreIDToken|cope)|U(?:iLocales|seNonce)|Display(?:Name)?|AcrValues|MaxAge)|ExportedVars|J(?:SON|WKS))';
our $oidcRPMetaDataNodeKeys = 'oidcRPMetaData(?:Options(?:I(?:DToken(?:Expiration|SignAlg)|con)|(?:RedirectUri|ExtraClaim)s|AccessTokenExpiration|Client(?:Secret|ID)|BypassConsent|DisplayName|UserIDAttr)|ExportedVars)';
......@@ -46,7 +46,7 @@ our $authParameters = {
remoteParams => [qw(remotePortal remoteCookieName remoteGlobalStorage remoteGlobalStorageOptions)],
restParams => [qw(restAuthUrl restUserDBUrl restPwdConfirmUrl restPwdModifyUrl)],
slaveParams => [qw(slaveAuthnLevel slaveExportedVars slaveUserHeader slaveMasterIP slaveHeaderName slaveHeaderContent)],
sslParams => [qw(SSLAuthnLevel SSLVar)],
sslParams => [qw(SSLAuthnLevel SSLVar SSLVarIf)],
twitterParams => [qw(twitterAuthnLevel twitterKey twitterSecret twitterAppName)],
webidParams => [qw(webIDAuthnLevel webIDExportedVars webIDWhitelist)],
yubikeyParams => [qw(yubikeyAuthnLevel yubikeyClientID yubikeySecretKey yubikeyPublicIDSize)],
......
......@@ -2778,6 +2778,9 @@ qr/^(?:(?:(?:(?:(?:(?:[a-zA-Z0-9][-a-zA-Z0-9]*)?[a-zA-Z0-9])[.])*(?:[a-zA-Z][-a-
'SSLVar' => {
'type' => 'text'
},
'SSLVarIf' => {
'type' => 'keyTextContainer'
},
'staticPrefix' => {
'type' => 'text'
},
......
......@@ -1945,7 +1945,8 @@ m{^(?:ldapi://[^/]*/?|\w[\w\-\.]*(?::\d{1,5})?|ldap(?:s|\+tls)?://\w[\w\-\.]*(?:
default => 5,
documentation => 'SSL authentication level',
},
SSLVar => { type => 'text', },
SSLVar => { type => 'text', },
SSLVarIf => { type => 'keyTextContainer', },
# CAS
CAS_authnLevel => {
......
......@@ -328,7 +328,7 @@ sub tree {
title => 'sslParams',
help => 'authssl.html',
form => 'simpleInputContainer',
nodes => [ 'SSLAuthnLevel', 'SSLVar' ]
nodes => [ 'SSLAuthnLevel', 'SSLVar', 'SSLVarIf' ]
},
{
title => 'twitterParams',
......
......@@ -618,6 +618,7 @@
"SSLAuthnLevel": "Authentication level",
"sslParams": "SSL parameters",
"SSLVar": "Extracted certificate field",
"SSLVarIf": "Conditional extracted certificate field",
"startTime": "Creation date",
"successfullySaved": "Successfully saved",
"storePassword": "Store user password in session datas",
......
......@@ -618,6 +618,7 @@
"SSLAuthnLevel": "Niveau d'authentification",
"sslParams": "Paramètres SSL",
"SSLVar": "Champ extrait du certificat",
"SSLVarIf": "Champ conditionnel extrait du certificat",
"startTime": "Date de création",
"successfullySaved": "Sauvegarde effectuée",
"storePassword": "Stocke le mot de passe de l'utilisateur en session",
......
......@@ -18,6 +18,7 @@ has SSLField => ( is => 'rw' );
sub init {
my ($self) = @_;
$self->SSLField( $self->conf->{SSLVar} ||= 'SSL_CLIENT_S_DN_Email' );
$self->conf->{SSLVarIf} ||= {};
return 1;
}
......@@ -25,11 +26,17 @@ sub init {
# @return Lemonldap::NG::Portal constant
sub extractFormInfo {
my ( $self, $req ) = @_;
my $field = $self->SSLField;
if ( $req->env->{SSL_CLIENT_I_DN}
and my $tmp =
$self->conf->{SSLVarIf}->{ $req->env->{SSL_CLIENT_I_DN} } )
{
$field = $tmp;
}
return PE_OK
if ( $req->user( $req->env->{ $self->SSLField } ) );
if ( $req->{SSL_CLIENT_S_DN} ) {
$self->userLogger->warn(
"$self->SSLField was not found in user certificate");
if ( $req->user( $req->env->{$field} ) );
if ( $req->env->{SSL_CLIENT_S_DN} ) {
$self->userLogger->warn("$field was not found in user certificate");
return PE_BADCERTIFICATE;
}
else {
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment