lemonldap-ng merge requestshttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/merge_requests2024-02-19T10:09:59Zhttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/merge_requests/451Fix issue when transmitting tied hash subkey to Lasso binding2024-02-19T10:09:59ZMaxime BessonFix issue when transmitting tied hash subkey to Lasso bindingI have no idea what this is needed and I'm curious if you have an explanation for this strange behavior
Related to #3105I have no idea what this is needed and I'm curious if you have an explanation for this strange behavior
Related to #31052.19.0Maxime BessonMaxime Bessonhttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/merge_requests/433Enable lasso in EL2024-02-12T08:41:33ZXavier BachelotEnable lasso in ELLasso perl bindings are now available in EPEL for 7, 8 and 9.Lasso perl bindings are now available in EPEL for 7, 8 and 9.2.19.0https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/merge_requests/448Don't hardcode Perl::Tidy version in output2024-02-09T15:15:55ZXavier BachelotDon't hardcode Perl::Tidy version in outputPretty self explanatory I would say :-)Pretty self explanatory I would say :-)Maxime BessonMaxime Bessonhttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/merge_requests/447[OIDC Dynamic Registration] Drop bad redirect_uris (closes #3070)2024-02-06T16:45:01ZClément OUDOT[OIDC Dynamic Registration] Drop bad redirect_uris (closes #3070)(cherry picked from commit bef7fa8f2375488724a9795a764df777cd0c9633)(cherry picked from commit bef7fa8f2375488724a9795a764df777cd0c9633)2.18.2https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/merge_requests/440fix mails not delivered since 2.18 due to invalid "to:" format (#3093)2024-02-06T09:16:31Zdcoutadeur dcoutadeurfix mails not delivered since 2.18 due to invalid "to:" format (#3093)Fixes #3093Fixes #30932.18.2dcoutadeur dcoutadeurdcoutadeur dcoutadeurhttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/merge_requests/434Misc RPM specfile cleanups2024-02-05T17:06:32ZXavier BachelotMisc RPM specfile cleanupsMisc RPM specfile cleanupsMisc RPM specfile cleanups2.18.2https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/merge_requests/445Force redirection after authentication cancel2024-02-05T16:46:22ZMaxime BessonForce redirection after authentication cancelCurrently, when users cancel authentication, they end up with ?cancel=1 in the URL bar
This is a little confusing, but also it can cause issues (choice being lost) when logging in again immediately after
My proposal is to change the wa...Currently, when users cancel authentication, they end up with ?cancel=1 in the URL bar
This is a little confusing, but also it can cause issues (choice being lost) when logging in again immediately after
My proposal is to change the way "cancel=1" is handled
Before: simply run authCancel steps before handling the rest of the process (extractFormInfo, etc)
After: run authCancel steps only, then redirect to portal
However, I'm wondering if this could cause regressions? I don't see in what case we would want to run normal portal subs when the user asks to cancel authentication2.19.0Maxime BessonMaxime Bessonhttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/merge_requests/431Typo fixes in doc and some conf files2024-02-05T16:29:11ZXavier BachelotTypo fixes in doc and some conf filesHere's a collection of typos in doc and conf files.Here's a collection of typos in doc and conf files.2.18.2https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/merge_requests/443Refresh tokens now update _lastSeen (#3088)2024-01-27T19:09:58ZMaxime BessonRefresh tokens now update _lastSeen (#3088)I did it by calling handler's `retrieveSession` instead of portal's `getApacheSession`I did it by calling handler's `retrieveSession` instead of portal's `getApacheSession`2.19.0Maxime BessonMaxime Bessonhttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/merge_requests/442Allow users to retry 2FA2024-01-27T19:09:28ZMaxime BessonAllow users to retry 2FAsee #3080see #3080Maxime BessonMaxime Bessonhttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/merge_requests/439Improve (even more) the use of multiple handler in portal unit tests2024-01-25T08:25:03ZMaxime BessonImprove (even more) the use of multiple handler in portal unit testsThis MR improves !438 even more by moving all the multi-handler logic into the "register" function
No more "switch", now, the only times you need to explicitely switch handlers is when you call a class handler method (checkConf) from un...This MR improves !438 even more by moving all the multi-handler logic into the "register" function
No more "switch", now, the only times you need to explicitely switch handlers is when you call a class handler method (checkConf) from unit tests directly. This can be done with the new withHandler wrapper:
```
withHandler( 'op', sub { $op->p->HANDLER->checkConf(1) } );
```
I have removed all `switch($xx)` statements from the test suite, from now on, they are automatically performed when invoking the _get or _post method on client objects (see the wrapper definition in `register`)
This new implementation also supports "stacking" handlers, which can happen when a portal with handler "rp" calls another portal with handler "op". This means that complex test such as `t/35-REST-config-backend.t` which perform HTTP requests during instanciation also work.
As a bonus, I added a Logger implementation that displays the handler stack nicely:
```
DEBUG=1 prove t/32-Auth-and-issuer-OIDC-authorization_code.t
# Request on RP is now clearly indicated:
[rp] [info] New request Lemonldap::NG::Portal::Main GET /
# Request on OP:
[op] [info] New request Lemonldap::NG::Portal::Main GET /oauth2/authorize?response_type=code&state=1706044640_37651&nonce=0yP2fr80AqBknj0-jOpoxg&redirect_uri=http%3A%2F%2Fauth.rp.com%2F%3Fopenidconnectcallback%3D1&client_id=rpid&scope=openid+profile+email&my_param=my+value&max_age=30&display=&acr_values=loa-32+customacr-1
# Even RP to OP requests are properly marked:
[rp->op] [info] New request Lemonldap::NG::Portal::Main POST /oauth2/token
```
This will make troubleshooting unit tests a LOT, LOT, LOT easier.
And hopefully, writing them, too :smile:2.19.0Maxime BessonMaxime Bessonhttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/merge_requests/438Improve handler switching in test suite2024-01-24T17:12:09ZMaxime BessonImprove handler switching in test suiteCurrently, instantiating multiple portals in a single unit tests causes the handler API to be shared between the two portals. There is an attempt to isolate them using the register/switch methods in test-lib, but this is not enough in so...Currently, instantiating multiple portals in a single unit tests causes the handler API to be shared between the two portals. There is an attempt to isolate them using the register/switch methods in test-lib, but this is not enough in some cases (such as accessing `HANDLER->tsv`, see 00-Switch.t)
In this MR, I extend the register/switch system to also switch all SharedVariables (tsv, portal, logger, etc). Which will let us better isolate the handler API in unit tests.
@guimard what do you think? Is there some other part of the handler that needs to be isolated?2.19.0Maxime BessonMaxime Bessonhttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/merge_requests/432Drop only CSP header when oidcDropCspHeaders is set, not CORS headers2024-01-17T09:50:00ZYaddDrop only CSP header when oidcDropCspHeaders is set, not CORS headersWhen relying party is the browser, Chromium refuses to query OIDC endpoints without CORS headersWhen relying party is the browser, Chromium refuses to query OIDC endpoints without CORS headers2.18.2YaddYaddhttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/merge_requests/430Add ANSSI/OIDC doc (#3030)2024-01-06T03:40:51ZYaddAdd ANSSI/OIDC doc (#3030)Related to #3030Related to #30302.19.0YaddYaddhttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/merge_requests/429[OIDC] add parameter to require /userinfo authentication using header only (#...2024-01-03T04:01:55ZYadd[OIDC] add parameter to require /userinfo authentication using header only (#3030)Related to #3030Related to #30302.19.0YaddYaddhttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/merge_requests/428[OIDC] add parameters to require nonce and/or state in authn requests (#3030)2024-01-03T03:55:46ZYadd[OIDC] add parameters to require nonce and/or state in authn requests (#3030)Related to #3030Related to #30302.19.0YaddYaddhttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/merge_requests/427[OIDC] Implement optional "Passing Request Parameters as JWTs"2024-01-03T03:50:29ZYadd[OIDC] Implement optional "Passing Request Parameters as JWTs"Related to #3073Related to #30732.19.0YaddYaddhttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/merge_requests/423[OIDC] Fix multiple JWKS keys on Auth side with no 'kid'2023-12-21T17:42:00ZYadd[OIDC] Fix multiple JWKS keys on Auth side with no 'kid'Related to #3067Related to #30672.18.1YaddYaddhttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/merge_requests/424Fix OIDC issues 3066/30652023-12-21T14:53:57ZMaxime BessonFix OIDC issues 3066/3065This MR adds "kid" back in emitted ID tokens when using asym keys with a `kid` set in config
I initialized a unit test for some ID Token properties, to be extended later if needed
This fixes #3066
Then, I fix #3065 in the case where a ...This MR adds "kid" back in emitted ID tokens when using asym keys with a `kid` set in config
I initialized a unit test for some ID Token properties, to be extended later if needed
This fixes #3066
Then, I fix #3065 in the case where a kid is provided by fixing the Typo. I adjusted the unit test from !423 to correspond to this particular casehttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/merge_requests/422Force Safe Jail in lemonldap-ng.ini2023-12-20T13:05:46ZClément OUDOTForce Safe Jail in lemonldap-ng.iniRelated to #2980Related to #29802.18.0Clément OUDOTClément OUDOT