lemonldap-ng issueshttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues2019-04-13T19:54:08Zhttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/1704Append parameter to sort IDP, OP and CAS servers in Auth menu loop2019-04-13T19:54:08ZChristophe Maudouxchrmdx@gmail.comAppend parameter to sort IDP, OP and CAS servers in Auth menu loop### Summary
Append Manager parameter to order SAML IdP, OIDC OP and CAS servers buttons when displaying Portal auth menu/choice.
### Design proposition
Sorting by rank or alphabetical order if not set### Summary
Append Manager parameter to order SAML IdP, OIDC OP and CAS servers buttons when displaying Portal auth menu/choice.
### Design proposition
Sorting by rank or alphabetical order if not set2.0.3Christophe Maudouxchrmdx@gmail.comChristophe Maudouxchrmdx@gmail.comhttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/1699Authentication level for REST and GPG authentication2019-04-21T19:52:25ZAlexandre LINTEAuthentication level for REST and GPG authentication### Summary
Add authentication level for REST/GPG Authentication.
### Design proposition
Add in the configuration menu a default value for REST/GPG authentication (default 2/3) and the possibility to change it under REST/GPG parameter...### Summary
Add authentication level for REST/GPG Authentication.
### Design proposition
Add in the configuration menu a default value for REST/GPG authentication (default 2/3) and the possibility to change it under REST/GPG parameters menu.
2.0.3Christophe Maudouxchrmdx@gmail.comChristophe Maudouxchrmdx@gmail.comhttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/1694Disable CSRF token with AuthBasic2019-04-10T07:23:33ZChristophe Maudouxchrmdx@gmail.comDisable CSRF token with AuthBasic### Summary
When using AuthBasic handler, CSRF token is required.
### Design proposition
Append configuration option to set IPs addresses to disable token for those **specific IP addresses**.
Using IP-based rule avoids security issue.
I...### Summary
When using AuthBasic handler, CSRF token is required.
### Design proposition
Append configuration option to set IPs addresses to disable token for those **specific IP addresses**.
Using IP-based rule avoids security issue.
Indeed AuthBasic handler mostly used by servers also administrator can set IP address to bypass token checking.2.0.3Christophe Maudouxchrmdx@gmail.comChristophe Maudouxchrmdx@gmail.comhttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/1675[Security:minor] Using /logout instead of /?logout=1 does not work2019-04-10T21:22:53ZClément OUDOT[Security:minor] Using /logout instead of /?logout=1 does not workIn LL::NG 2.0, it seems that a specific route has been created for logout, but it is not working.
Here is the log when calling http://auth.example.com/logout:
```
auth.example.com:80 127.0.0.1 - - [21/Mar/2019:09:15:38 +0100] "GET /stat...In LL::NG 2.0, it seems that a specific route has been created for logout, but it is not working.
Here is the log when calling http://auth.example.com/logout:
```
auth.example.com:80 127.0.0.1 - - [21/Mar/2019:09:15:38 +0100] "GET /static/common/apps/network.png HTTP/1.1" 304 263
[debug] Get session 10380b49602162d0727a53e74796d00e50ea71c2b051b369ea09b743042ef7fd from Handler internal cache
[debug] auth.example.com: Apply default rule
[debug] removing cookie
[debug] Cookies -> llnglanguage=fr; lemonldap=10380b49602162d0727a53e74796d00e50ea71c2b051b369ea09b743042ef7fd
[debug] CookieName -> lemonldap
[debug] newCookies -> llnglanguage=fr;
[debug] User dwho was granted to access to /logout
[debug] Start routing logout
[debug] Processing controlUrl
[debug] Processing authLogout
[debug] Cleaning pdata
[debug] Processing deleteSession
[debug] Returned error: 47
[debug] Calling autoredirect
[debug] Skin returned: login
[debug] Calling sendHtml with template login
```
And here with http://auth.example.com/?logout=1:
```
[debug] Get session 10380b49602162d0727a53e74796d00e50ea71c2b051b369ea09b743042ef7fd from Handler::Main::Run
[debug] Check session validity from Handler
[debug] Session timeout -> 72000
[debug] Session _utime -> 1553156138
[debug] now -> 1553156173
[debug] Session timeoutActivityInterval -> 60
[debug] Session TTL = 71965
[debug] auth.example.com: Apply default rule
[debug] removing cookie
[debug] Cookies -> llnglanguage=fr; lemonldap=10380b49602162d0727a53e74796d00e50ea71c2b051b369ea09b743042ef7fd
[debug] CookieName -> lemonldap
[debug] newCookies -> llnglanguage=fr;
[debug] User dwho was granted to access to /?logout=1
[debug] Start routing default route
[debug] Processing importHandlerData
[debug] Processing controlUrl
[debug] Processing checkLogout
[debug] Processing authLogout
[debug] Cleaning pdata
[debug] Processing deleteSession
[debug] Try to get SSO session 10380b49602162d0727a53e74796d00e50ea71c2b051b369ea09b743042ef7fd
[debug] Get session 10380b49602162d0727a53e74796d00e50ea71c2b051b369ea09b743042ef7fd from Portal::Main::Run
[debug] Return SSO session 10380b49602162d0727a53e74796d00e50ea71c2b051b369ea09b743042ef7fd
[debug] Local handler logout
[notice] User dwho has been disconnected
[debug] Session 10380b49602162d0727a53e74796d00e50ea71c2b051b369ea09b743042ef7fd deleted from global storage
[debug] Returned error: 47
[debug] Calling autoredirect
[debug] Skin returned: login
[debug] Calling sendHtml with template login
```
In the first case the session is not deleted.2.0.3Christophe Maudouxchrmdx@gmail.comChristophe Maudouxchrmdx@gmail.comhttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/1667[Security:medium] Option userControl is not applied anymore in standard login...2019-04-10T21:21:04ZClément OUDOT[Security:medium] Option userControl is not applied anymore in standard login processLooking at the code, the userControl parameter is only applied in password reset and register:
```
clement@ader-worteks:~/dev/lemonldap-ng$ grep -r userControl lemonldap-ng-portal/
lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Plugins/Mail...Looking at the code, the userControl parameter is only applied in password reset and register:
```
clement@ader-worteks:~/dev/lemonldap-ng$ grep -r userControl lemonldap-ng-portal/
lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Plugins/MailPasswordReset.pm: unless ( $req->{user} =~ /$self->{conf}->{userControl}/o ) {
lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Plugins/Register.pm: m/$self->{conf}->{userControl}/o );
```
It should also be applied in standard login process.2.0.3Christophe Maudouxchrmdx@gmail.comChristophe Maudouxchrmdx@gmail.comhttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/1664Impersonation plugin2020-04-25T12:52:56ZChristophe Maudouxchrmdx@gmail.comImpersonation plugin### Summary
The aim of this plugin is to allow a user to spoof the identity of an another user.
Useful for training or dev platforms.
### Design proposition
Create SSO session with spoofed identity attributes and real session attribu...### Summary
The aim of this plugin is to allow a user to spoof the identity of an another user.
Useful for training or dev platforms.
### Design proposition
Create SSO session with spoofed identity attributes and real session attributes.
Macros and rules can be based on real_XXX or XXX (spoofed) session attributes.2.0.3Christophe Maudouxchrmdx@gmail.comChristophe Maudouxchrmdx@gmail.comhttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/1661Configuration viewer module2019-04-23T12:26:29ZChristophe Maudouxchrmdx@gmail.comConfiguration viewer module### Summary
Viewer is a SPA to allow specific users to edit General configuration but in Read Only mode.
### Design proposition
Like conf without save or edit features### Summary
Viewer is a SPA to allow specific users to edit General configuration but in Read Only mode.
### Design proposition
Like conf without save or edit features2.0.3Christophe Maudouxchrmdx@gmail.comChristophe Maudouxchrmdx@gmail.comhttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/1658CheckUser plugin2021-01-30T17:22:43ZChristophe Maudouxchrmdx@gmail.comCheckUser plugin### Summary
It is a plugin to check user session attributes, access and transmitted headers to a specific URL.
### Design proposition
Useful for IT Ops, dev teams or administrators to debug or check rules### Summary
It is a plugin to check user session attributes, access and transmitted headers to a specific URL.
### Design proposition
Useful for IT Ops, dev teams or administrators to debug or check rules2.0.3Christophe Maudouxchrmdx@gmail.comChristophe Maudouxchrmdx@gmail.comhttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/1651Disable cache on portal page2020-06-10T19:40:01ZClément OUDOTDisable cache on portal pageWith some browsers, the login page is cached and we an error as the security token is invalid (it has not been regenerated).
We should update our response headers so that portal pages are not cached by browsers.With some browsers, the login page is cached and we an error as the security token is invalid (it has not been regenerated).
We should update our response headers so that portal pages are not cached by browsers.2.0.3Christophe Maudouxchrmdx@gmail.comChristophe Maudouxchrmdx@gmail.comhttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/1632Optionally let Ext2F module handle code generation2019-02-16T21:42:28ZMaxime BessonOptionally let Ext2F module handle code generation### Summary
Currently, Ext2F requires two commands. One to generate and send the token for a user, and another to check the token submitted by the user on the form.
My proposal is to have an option that lets Ext2F handle the code gener...### Summary
Currently, Ext2F requires two commands. One to generate and send the token for a user, and another to check the token submitted by the user on the form.
My proposal is to have an option that lets Ext2F handle the code generation and verification itself, and only rely on an external command to send it to the user.
An obvious use for this modification would be to relieve the user of the burden of implementing their own token storage, while still being able to interact will all sorts of external delivery methods (proprietary/SaaS SMS gateways come to mind)
### Design proposition
Much like #1629, with this hypothetical new option turned on, the plugin would
In `run`:
* Generate a random code (with String::Random for now)
* Store it in the token-based temporary session
* Call the configured command, which could be something like `send_token.pl --phoneNum $mobile --code $code` (`$code` would already be available in this phase, unlike ext2F's regular behaviour)
* Display the `ext2fcheck` template to the user
In `verify`:
* With the hypothetical option on, instead of calling an extenal command to verify the code, we could compare the code POST-ed by the user to the one internally stored in the session.
### Thoughts
This would make it easier for a user to plug into an existing delivery method (mail, sms, pagers, some mobile app, smoke signals) without having to implement token generation and storage themselves.
However, it would mean that ext2F would have 2 pretty different ways of working, depending whether it handles token generation or leaves it to the external system. I'm not sure if this behaviour should be a part of ext2F or its own, separate module.2.0.3Christophe Maudouxchrmdx@gmail.comChristophe Maudouxchrmdx@gmail.com