From d27e8f60ac02f937e856ba0558612570d5c2876f Mon Sep 17 00:00:00 2001 From: Christophe Maudoux Date: Sun, 15 Jul 2018 15:04:48 +0200 Subject: [PATCH 01/40] Fix OIDC GUI --- .../site/htdocs/static/forms/oidcOPMetaDataNodeContainer.html | 2 +- .../site/htdocs/static/forms/oidcRPMetaDataNodeContainer.html | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/lemonldap-ng-manager/site/htdocs/static/forms/oidcOPMetaDataNodeContainer.html b/lemonldap-ng-manager/site/htdocs/static/forms/oidcOPMetaDataNodeContainer.html index fddadd3253..49cc9d4759 100644 --- a/lemonldap-ng-manager/site/htdocs/static/forms/oidcOPMetaDataNodeContainer.html +++ b/lemonldap-ng-manager/site/htdocs/static/forms/oidcOPMetaDataNodeContainer.html @@ -4,7 +4,7 @@ - + diff --git a/lemonldap-ng-manager/site/htdocs/static/forms/oidcRPMetaDataNodeContainer.html b/lemonldap-ng-manager/site/htdocs/static/forms/oidcRPMetaDataNodeContainer.html index 83e1e2a57c..9a958fa359 100644 --- a/lemonldap-ng-manager/site/htdocs/static/forms/oidcRPMetaDataNodeContainer.html +++ b/lemonldap-ng-manager/site/htdocs/static/forms/oidcRPMetaDataNodeContainer.html @@ -4,7 +4,7 @@
- + -- GitLab From d9607ae32cbd3d893ecb8cc7a8553b74e559adb9 Mon Sep 17 00:00:00 2001 From: Christophe Maudoux Date: Sun, 15 Jul 2018 16:10:27 +0200 Subject: [PATCH 02/40] WIP - Modify oidcConsents key structure --- .../NG/Portal/Issuer/OpenIDConnect.pm | 103 +++++++++++++++--- 1 file changed, 85 insertions(+), 18 deletions(-) diff --git a/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Issuer/OpenIDConnect.pm b/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Issuer/OpenIDConnect.pm index dd6159e67e..929b4239e5 100644 --- a/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Issuer/OpenIDConnect.pm +++ b/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Issuer/OpenIDConnect.pm @@ -118,7 +118,7 @@ sub run { # AUTHORIZE if ( $path eq $self->conf->{oidcServiceMetaDataAuthorizeURI} ) { $self->logger->debug( - "URL detected as an OpenID Connect AUTHORIZE URL"); + "URL detected as an OpenID Connect AUTHORIZE URL"); # Get and save parameters my $oidc_request = {}; @@ -211,15 +211,15 @@ sub run { return PE_UNAUTHORIZEDPARTNER; } else { - $self->logger->debug("Client id $client_id match RP $rp"); + $self->logger->debug("Client id $client_id matches RP $rp"); } - # Check if this RP is authorizated + # Check if this RP is authorized if ( my $rule = $self->spRules->{$rp} ) { unless ( $rule->( $req, $req->sessionInfo ) ) { $self->userLogger->warn( 'User ' . $req->sessionInfo->{ $self->conf->{whatToTrace} } - . "was not authorizated to access to $rp" ); + . "was not authorized to access to $rp" ); return PE_UNAUTHORIZEDPARTNER; } } @@ -288,7 +288,7 @@ sub run { ) { $self->logger->debug( -"Reauthentication requested by Relying Party in prompt parameter" +"Reauthentication required by Relying Party in prompt parameter" ); return $self->reAuth($req); } @@ -297,7 +297,7 @@ sub run { my $_lastAuthnUTime = $req->{sessionInfo}->{_lastAuthnUTime}; if ( $max_age && time > $_lastAuthnUTime + $max_age ) { $self->logger->debug( -"Reauthentication forced cause authentication time ($_lastAuthnUTime) is too old (>$max_age s)" +"Reauthentication forced because authentication time ($_lastAuthnUTime) is too old (>$max_age s)" ); return $self->reAuth($req); } @@ -320,11 +320,11 @@ sub run { ) { $self->logger->error( - "Request JWT signature could not be verified"); + "JWT signature request can not be verified"); return PE_ERROR; } else { - $self->logger->debug("Request JWT signature verified"); + $self->logger->debug("JWT signature request verified"); } } @@ -343,12 +343,12 @@ sub run { my $user_id = $req->{sessionInfo}->{$user_id_attribute}; unless ( $sub eq $user_id ) { $self->userLogger->error( - "ID Token hint sub $sub do not match user $user_id"); + "ID Token hint sub $sub does not match user $user_id"); return $self->returnRedirectError( $req, $oidc_request->{'redirect_uri'}, 'invalid_request', - "current user do not match id_token_hint sub", + "Current user does not match id_token_hint sub", undef, $oidc_request->{'state'}, ( $flow ne "authorizationcode" ) @@ -356,7 +356,7 @@ sub run { } else { $self->logger->debug( - "ID Token hint sub $sub match current user"); + "ID Token hint sub $sub matches current user"); } } @@ -365,13 +365,48 @@ sub run { ->{oidcRPMetaDataOptionsBypassConsent}; if ($bypassConsent) { $self->logger->debug( - "Consent is disabled for RP $rp, user will not be prompted" +"Consent is disabled for Relying Party $rp, user will not be prompted" ); } else { my $ask_for_consent = 1; + +######################## + $req->{sessionInfo}->{_oidcConsents} + + # Loading existing oidcConsents + $self->logger->debug("Looking for OIDC Consents ..."); + my $_oidcConsents; + if ( $req->{sessionInfo}->{_oidcConsents} ) { + $_oidcConsents = eval { + from_json( $req->{sessionInfo}->{_oidcConsents}, + { allow_nonref => 1 } ); + }; + if ($@) { + $self->logger->error( + "Corrupted session (_oidcConsents): $@"); + return PE_ERROR; + } + } + else { + $self->logger->debug("No OIDC Consent found"); + $_oidcConsents = []; + } + + # Reading existing RP + my @RPoidcConsent = grep { $_->{rp} eq $rp } @$_oidcConsents; + unless (@RPoidcConsent) { + $self->logger->debug("No Relying Party $rp Consent found"); + + # Set default value + push @RPoidcConsent, { rp => $rp, time => '', scope => '' }; + } + +################### + if ( $req->{sessionInfo}->{"_oidc_consent_time_$rp"} and $req->{sessionInfo}->{"_oidc_consent_scope_$rp"} ) + { $ask_for_consent = 0; my $consent_time = @@ -379,6 +414,15 @@ sub run { my $consent_scope = $req->{sessionInfo}->{"_oidc_consent_scope_$rp"}; + #if ( $RPoidcConsent[0]->{rp} eq $rp ) + #{ + #$ask_for_consent = 0; + + #my $consent_time = + #$RPoidcConsent[0]->{time}; + # my $consent_scope = + # $RPoidcConsent[0]->{scope}; + $self->logger->debug( "Consent already given for Relying Party $rp (time: $consent_time, scope: $consent_scope)" ); @@ -417,6 +461,28 @@ sub run { $oidc_request->{'scope'} } ); + + ############### + + $RPoidcConsent[0]->{time} = time; + $RPoidcConsent[0]->{scope} = $oidc_request->{'scope'}; + + push @{$_oidcConsents}, @{$RPoidcConsent}; + + #{ + #type => 'U2F', + #name => $keyName, + #_userKey => $self->encode_base64url( $userKey, '' ), + #_keyHandle => $keyHandle, + #epoch => $epoch + #}; + $self->logger->debug( + "Append Relying Party $rp Consent"); + $self->p->updatePersistentSession( $req, + { _oidcConsents => to_json($_oidcConsents) } ); + +################# + $self->logger->debug( "Consent given for Relying Party $rp"); } @@ -437,12 +503,13 @@ sub run { } else { $self->logger->debug( - "Obtain user consent for Relying Party $rp"); + "Request user consent for Relying Party $rp"); # Return error if prompt is none if ( $prompt and $prompt =~ /\bnone\b/ ) { $self->logger->debug( - "Consent is needed but prompt is none"); + "Consent is requiered but prompt is set to none" + ); return $self->returnRedirectError( $req, $oidc_request->{'redirect_uri'}, @@ -776,7 +843,7 @@ sub run { return PE_REDIRECT; } - $self->logger->debug("No flow has been selected"); + $self->logger->debug("None flow has been selected"); return PE_OK; } @@ -898,7 +965,7 @@ sub token { return $self->p->sendError( $req, 'invalid_request', 400 ); } else { - $self->logger->debug("Client id $client_id match RP $rp"); + $self->logger->debug("Client id $client_id match Relying Party $rp"); } # Check client_secret @@ -924,7 +991,7 @@ sub token { # Check we have the same redirect_uri value unless ( $req->param("redirect_uri") eq $codeSession->data->{redirect_uri} ) { - $self->userLogger->error( "Provided redirect_uri is different from " + $self->userLogger->error( "Provided redirect_uri does not match " . $codeSession->{redirect_uri} ); return $self->p->sendError( $req, 'invalid_request', 400 ); } @@ -1290,7 +1357,7 @@ sub logout { foreach my $rp (@rps) { my $rpConf = $self->conf->{oidcRPMetaDataOptions}->{$rp}; unless ($rpConf) { - $self->logger->error("Unknown RP $rp"); + $self->logger->error("Unknown Relying Party $rp"); return PE_ERROR; } if ( my $url = $rpConf->{oidcRPMetaDataOptionsLogoutUrl} ) { -- GitLab From 814b571fa9fcc36aecfccb7462f70441cb575576 Mon Sep 17 00:00:00 2001 From: Christophe Maudoux Date: Sun, 15 Jul 2018 17:31:58 +0200 Subject: [PATCH 03/40] WIP - Modify oidcConsents key structure --- .../NG/Portal/Issuer/OpenIDConnect.pm | 21 ++++++++++--------- 1 file changed, 11 insertions(+), 10 deletions(-) diff --git a/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Issuer/OpenIDConnect.pm b/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Issuer/OpenIDConnect.pm index 929b4239e5..c1143b9543 100644 --- a/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Issuer/OpenIDConnect.pm +++ b/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Issuer/OpenIDConnect.pm @@ -372,11 +372,12 @@ sub run { my $ask_for_consent = 1; ######################## - $req->{sessionInfo}->{_oidcConsents} + my $_oidcConsents; + my @RPoidcConsent = (); # Loading existing oidcConsents $self->logger->debug("Looking for OIDC Consents ..."); - my $_oidcConsents; + if ( $req->{sessionInfo}->{_oidcConsents} ) { $_oidcConsents = eval { from_json( $req->{sessionInfo}->{_oidcConsents}, @@ -394,7 +395,7 @@ sub run { } # Reading existing RP - my @RPoidcConsent = grep { $_->{rp} eq $rp } @$_oidcConsents; + @RPoidcConsent = grep { $_->{rp} eq $rp } @$_oidcConsents; unless (@RPoidcConsent) { $self->logger->debug("No Relying Party $rp Consent found"); @@ -414,14 +415,14 @@ sub run { my $consent_scope = $req->{sessionInfo}->{"_oidc_consent_scope_$rp"}; - #if ( $RPoidcConsent[0]->{rp} eq $rp ) + #if ( $RPoidcConsent[0]{rp} eq $rp ) #{ #$ask_for_consent = 0; #my $consent_time = - #$RPoidcConsent[0]->{time}; + #$RPoidcConsent[0]{time}; # my $consent_scope = - # $RPoidcConsent[0]->{scope}; + # $RPoidcConsent[0]{scope}; $self->logger->debug( "Consent already given for Relying Party $rp (time: $consent_time, scope: $consent_scope)" @@ -462,12 +463,12 @@ sub run { } ); - ############### + ################ - $RPoidcConsent[0]->{time} = time; - $RPoidcConsent[0]->{scope} = $oidc_request->{'scope'}; + $RPoidcConsent[0]{time} = time; + $RPoidcConsent[0]{scope} = $oidc_request->{'scope'}; - push @{$_oidcConsents}, @{$RPoidcConsent}; + push @{$_oidcConsents}, @RPoidcConsent; #{ #type => 'U2F', -- GitLab From 8d5693dc1ddb25076aa9683ff9c4615a0bf89e36 Mon Sep 17 00:00:00 2001 From: Christophe Maudoux Date: Sun, 15 Jul 2018 17:53:06 +0200 Subject: [PATCH 04/40] WIP - Modify oidcConsents key structure --- .../NG/Portal/Issuer/OpenIDConnect.pm | 46 ++++++++----------- 1 file changed, 18 insertions(+), 28 deletions(-) diff --git a/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Issuer/OpenIDConnect.pm b/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Issuer/OpenIDConnect.pm index c1143b9543..c807779ec5 100644 --- a/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Issuer/OpenIDConnect.pm +++ b/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Issuer/OpenIDConnect.pm @@ -375,8 +375,8 @@ sub run { my $_oidcConsents; my @RPoidcConsent = (); - # Loading existing oidcConsents - $self->logger->debug("Looking for OIDC Consents ..."); + # Loading existing oidcConsents + $self->logger->debug("Looking for OIDC Consents ..."); if ( $req->{sessionInfo}->{_oidcConsents} ) { $_oidcConsents = eval { @@ -400,29 +400,27 @@ sub run { $self->logger->debug("No Relying Party $rp Consent found"); # Set default value - push @RPoidcConsent, { rp => $rp, time => '', scope => '' }; + push @RPoidcConsent, + { rp => $rp, epoch => '', scope => '' }; } ################### - if ( $req->{sessionInfo}->{"_oidc_consent_time_$rp"} - and $req->{sessionInfo}->{"_oidc_consent_scope_$rp"} ) + #if ( $req->{sessionInfo}->{"_oidc_consent_time_$rp"} + #and $req->{sessionInfo}->{"_oidc_consent_scope_$rp"} ) - { - $ask_for_consent = 0; - my $consent_time = - $req->{sessionInfo}->{"_oidc_consent_time_$rp"}; - my $consent_scope = - $req->{sessionInfo}->{"_oidc_consent_scope_$rp"}; + #{ + #$ask_for_consent = 0; + #my $consent_time = + #$req->{sessionInfo}->{"_oidc_consent_time_$rp"}; + #my $consent_scope = + #$req->{sessionInfo}->{"_oidc_consent_scope_$rp"}; - #if ( $RPoidcConsent[0]{rp} eq $rp ) - #{ - #$ask_for_consent = 0; + if ( $RPoidcConsent[0]{rp} eq $rp ) { + $ask_for_consent = 0; - #my $consent_time = - #$RPoidcConsent[0]{time}; - # my $consent_scope = - # $RPoidcConsent[0]{scope}; + my $consent_time = $RPoidcConsent[0]{epoch}; + my $consent_scope = $RPoidcConsent[0]{scope}; $self->logger->debug( "Consent already given for Relying Party $rp (time: $consent_time, scope: $consent_scope)" @@ -463,20 +461,12 @@ sub run { } ); - ################ +################ - $RPoidcConsent[0]{time} = time; + $RPoidcConsent[0]{epoch} = time; $RPoidcConsent[0]{scope} = $oidc_request->{'scope'}; push @{$_oidcConsents}, @RPoidcConsent; - - #{ - #type => 'U2F', - #name => $keyName, - #_userKey => $self->encode_base64url( $userKey, '' ), - #_keyHandle => $keyHandle, - #epoch => $epoch - #}; $self->logger->debug( "Append Relying Party $rp Consent"); $self->p->updatePersistentSession( $req, -- GitLab From eff2b66cf2c0fae33120eff5447cf04910fdf5ee Mon Sep 17 00:00:00 2001 From: Christophe Maudoux Date: Sun, 15 Jul 2018 19:17:48 +0200 Subject: [PATCH 05/40] WIP - Modify oidcConsents key structure --- .../NG/Portal/Issuer/OpenIDConnect.pm | 22 +------- .../lib/Lemonldap/NG/Portal/Main/Display.pm | 51 +++++++++++++++---- 2 files changed, 42 insertions(+), 31 deletions(-) diff --git a/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Issuer/OpenIDConnect.pm b/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Issuer/OpenIDConnect.pm index c807779ec5..7679698a9b 100644 --- a/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Issuer/OpenIDConnect.pm +++ b/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Issuer/OpenIDConnect.pm @@ -370,8 +370,6 @@ sub run { } else { my $ask_for_consent = 1; - -######################## my $_oidcConsents; my @RPoidcConsent = (); @@ -404,18 +402,6 @@ sub run { { rp => $rp, epoch => '', scope => '' }; } -################### - - #if ( $req->{sessionInfo}->{"_oidc_consent_time_$rp"} - #and $req->{sessionInfo}->{"_oidc_consent_scope_$rp"} ) - - #{ - #$ask_for_consent = 0; - #my $consent_time = - #$req->{sessionInfo}->{"_oidc_consent_time_$rp"}; - #my $consent_scope = - #$req->{sessionInfo}->{"_oidc_consent_scope_$rp"}; - if ( $RPoidcConsent[0]{rp} eq $rp ) { $ask_for_consent = 0; @@ -451,6 +437,7 @@ sub run { if ( $req->param('confirm') and $req->param('confirm') == 1 ) { + ############ $self->p->updatePersistentSession( $req, { "_oidc_consent_time_$rp" => time } ); $self->p->updatePersistentSession( @@ -460,20 +447,15 @@ sub run { $oidc_request->{'scope'} } ); - -################ - + ############ $RPoidcConsent[0]{epoch} = time; $RPoidcConsent[0]{scope} = $oidc_request->{'scope'}; - push @{$_oidcConsents}, @RPoidcConsent; $self->logger->debug( "Append Relying Party $rp Consent"); $self->p->updatePersistentSession( $req, { _oidcConsents => to_json($_oidcConsents) } ); -################# - $self->logger->debug( "Consent given for Relying Party $rp"); } diff --git a/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Main/Display.pm b/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Main/Display.pm index 7e30aaa5d5..706fd3d0a1 100644 --- a/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Main/Display.pm +++ b/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Main/Display.pm @@ -7,6 +7,7 @@ our $VERSION = '2.0.0'; package Lemonldap::NG::Portal::Main; use strict; use Mouse; +use JSON; has skinRules => ( is => 'rw' ); @@ -521,18 +522,46 @@ sub mkOidcConsent { } } - my $consents = {}; - - foreach ( keys %$session ) { - if ( $_ =~ /_oidc_consent_time_(.+)$/ ) { - $consents->{$1}->{time} = $session->{ "_oidc_consent_time_" . $1 }; - $consents->{$1}->{scope} = - $session->{ "_oidc_consent_scope_" . $1 }; - $consents->{$1}->{displayName} = - $self->conf->{oidcRPMetaDataOptions}->{$1} - ->{oidcRPMetaDataOptionsDisplayName}; + # Loading existing oidcConsents + $self->logger->debug("Loading OIDC Consents ..."); + my @consents = (); + if ( exists $session->{_oidcConsents} ) { + @consents = eval { + from_json( $session->{_oidcConsents}, { allow_nonref => 1 } ); + }; + if ($@) { + $self->logger->error("Corrupted session (_oidcConsents): $@"); + return PE_ERROR; } } + else { + $self->logger->debug("No OIDC Consent found"); + + #$_oidcConsents = []; + } + + my $consents = {}; +##################### + + foreach (@consents) { + my $rp = {$_}->{rp}; + $consents->{$rp}->{epoch} = $_->{epoch}; + $consents->{$rp}->{scope} = $_->{scope}; + $consents->{$rp}->{displayName} = + $self->conf->{oidcRPMetaDataOptions}->{$rp}->{oidcRPMetaDataOptionsDisplayName}; + } + + #foreach ( keys %$session ) { + #if ( $_ =~ /_oidc_consent_time_(.+)$/ ) { + #$consents->{$1}->{time} = $session->{ "_oidc_consent_time_" . $1 }; + #$consents->{$1}->{scope} = + #$session->{ "_oidc_consent_scope_" . $1 }; + #$consents->{$1}->{displayName} = + #$self->conf->{oidcRPMetaDataOptions}->{$1} + #->{oidcRPMetaDataOptionsDisplayName}; + #} + #} +##################### return $self->loadTemplate( 'oidcConsents', @@ -541,7 +570,7 @@ sub mkOidcConsent { map { { name => $_, - time => $consents->{$_}->{time}, + time => $consents->{$_}->{epoch}, scope => $consents->{$_}->{scope}, displayName => $consents->{$_}->{displayName} } -- GitLab From c5685fa56a77851e04501629c7f18e48c7810893 Mon Sep 17 00:00:00 2001 From: Christophe Maudoux Date: Sun, 15 Jul 2018 19:37:59 +0200 Subject: [PATCH 06/40] WIP - Modify oidcConsents key structure --- lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Main/Display.pm | 2 ++ 1 file changed, 2 insertions(+) diff --git a/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Main/Display.pm b/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Main/Display.pm index 706fd3d0a1..f7d340e364 100644 --- a/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Main/Display.pm +++ b/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Main/Display.pm @@ -544,11 +544,13 @@ sub mkOidcConsent { ##################### foreach (@consents) { + if ( defined {$_}->{rp} ){ my $rp = {$_}->{rp}; $consents->{$rp}->{epoch} = $_->{epoch}; $consents->{$rp}->{scope} = $_->{scope}; $consents->{$rp}->{displayName} = $self->conf->{oidcRPMetaDataOptions}->{$rp}->{oidcRPMetaDataOptionsDisplayName}; + } } #foreach ( keys %$session ) { -- GitLab From fa7c2eb6ca65a861bba40465e37a46b609f62b7c Mon Sep 17 00:00:00 2001 From: Christophe Maudoux Date: Sun, 15 Jul 2018 20:48:50 +0200 Subject: [PATCH 07/40] WIP - Modify oidcConsents key structure --- lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Main/Display.pm | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Main/Display.pm b/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Main/Display.pm index f7d340e364..b88dfabd9e 100644 --- a/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Main/Display.pm +++ b/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Main/Display.pm @@ -524,9 +524,9 @@ sub mkOidcConsent { # Loading existing oidcConsents $self->logger->debug("Loading OIDC Consents ..."); - my @consents = (); + my $_consents; if ( exists $session->{_oidcConsents} ) { - @consents = eval { + $_consents = eval { from_json( $session->{_oidcConsents}, { allow_nonref => 1 } ); }; if ($@) { @@ -543,7 +543,7 @@ sub mkOidcConsent { my $consents = {}; ##################### - foreach (@consents) { + foreach (@$_consents) { if ( defined {$_}->{rp} ){ my $rp = {$_}->{rp}; $consents->{$rp}->{epoch} = $_->{epoch}; -- GitLab From 4885fce87f6b9c239cf7f7564b496658304dc793 Mon Sep 17 00:00:00 2001 From: Christophe Maudoux Date: Sun, 15 Jul 2018 21:25:12 +0200 Subject: [PATCH 08/40] WIP - Modify oidcConsents key structure --- lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Main/Display.pm | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Main/Display.pm b/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Main/Display.pm index b88dfabd9e..138a02ea8d 100644 --- a/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Main/Display.pm +++ b/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Main/Display.pm @@ -544,8 +544,9 @@ sub mkOidcConsent { ##################### foreach (@$_consents) { - if ( defined {$_}->{rp} ){ - my $rp = {$_}->{rp}; + if ( defined $_->{rp} ){ + my $rp = $_->{rp}; + $self->logger->debug("RP $rp Consent found"); $consents->{$rp}->{epoch} = $_->{epoch}; $consents->{$rp}->{scope} = $_->{scope}; $consents->{$rp}->{displayName} = -- GitLab From c381ae86b6d96e56360c122088a51bbef766c74b Mon Sep 17 00:00:00 2001 From: Christophe Maudoux Date: Sun, 15 Jul 2018 22:08:30 +0200 Subject: [PATCH 09/40] WIP - Modify oidcConsents key structure --- .../lib/Lemonldap/NG/Portal/Main/Display.pm | 18 ++++++------ lemonldap-ng-portal/site/coffee/portal.coffee | 28 ++++++++++++------- .../site/htdocs/static/common/js/portal.js | 10 +++---- .../htdocs/static/common/js/portal.min.js | 2 +- .../site/templates/bootstrap/oidcConsents.tpl | 2 +- 5 files changed, 33 insertions(+), 27 deletions(-) diff --git a/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Main/Display.pm b/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Main/Display.pm index 138a02ea8d..e249dc417f 100644 --- a/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Main/Display.pm +++ b/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Main/Display.pm @@ -544,14 +544,14 @@ sub mkOidcConsent { ##################### foreach (@$_consents) { - if ( defined $_->{rp} ){ - my $rp = $_->{rp}; - $self->logger->debug("RP $rp Consent found"); - $consents->{$rp}->{epoch} = $_->{epoch}; - $consents->{$rp}->{scope} = $_->{scope}; - $consents->{$rp}->{displayName} = - $self->conf->{oidcRPMetaDataOptions}->{$rp}->{oidcRPMetaDataOptionsDisplayName}; - } + if ( defined $_->{rp} ) { + my $rp = $_->{rp}; + $self->logger->debug("RP { $rp } Consent found"); + $consents->{$rp}->{epoch} = $_->{epoch}; + $consents->{$rp}->{scope} = $_->{scope}; + $consents->{$rp}->{displayName} = + $self->conf->{oidcRPMetaDataOptions}->{$rp}->{oidcRPMetaDataOptionsDisplayName}; + } } #foreach ( keys %$session ) { @@ -573,7 +573,7 @@ sub mkOidcConsent { map { { name => $_, - time => $consents->{$_}->{epoch}, + epoch => $consents->{$_}->{epoch}, scope => $consents->{$_}->{scope}, displayName => $consents->{$_}->{displayName} } diff --git a/lemonldap-ng-portal/site/coffee/portal.coffee b/lemonldap-ng-portal/site/coffee/portal.coffee index 37802a9ef6..27abe7c9b6 100644 --- a/lemonldap-ng-portal/site/coffee/portal.coffee +++ b/lemonldap-ng-portal/site/coffee/portal.coffee @@ -54,7 +54,7 @@ getValues = () -> # ---------------------------------------- setSelector = "#appslist" -# Function that writes the list order to session (network errors ignored) +# Function to write the sorted apps list to session (network errors ignored) setOrder = -> setKey '_appsListOrder', $(setSelector).sortable("toArray").join() @@ -71,16 +71,23 @@ removeOidcConsent = (partner) -> # alert "#{s} #{e}" e = (j,s,e) -> alert "#{s} #{e}" - delKey "_oidc_consent_time_#{partner}" + #delKey "_oidc_consent_time_#{partner}" + ## Success + #, () -> + #delKey "_oidc_consent_scope_#{partner}" + ## Success + #, () -> + #$("[partner='#{partner}']").hide() + ## Error + #, e + #, e + delKey "_oidcConsents",partner # Success , () -> - delKey "_oidc_consent_scope_#{partner}" - # Success - , () -> - $("[partner='#{partner}']").hide() - # Error - , e + $("[partner='#{partner}']").hide() + # Error , e + # Function used by setOrder() and removeOidcConsent() to push new values # For security reason, modification is rejected unless a valid token is given @@ -104,7 +111,7 @@ setKey = (key,val,success,error) -> success: success error: error -delKey = (key,success,error) -> +delKey = (key,partner,success,error) -> $.ajax type: "GET" url: datas['scriptname'] + '/mysession/?gettoken' @@ -114,7 +121,8 @@ delKey = (key,success,error) -> success: (data) -> $.ajax type: "DELETE" - url: "#{datas['scriptname']}/mysession/persistent/#{key}?token=#{data.token}" + url: "#{datas['scriptname']}/mysession/persistent/#{key}?option=#{partner}&token=#{data.token}" + #url: "#{datas['scriptname']}/mysession/persistent/#{key}?token=#{data.token}" dataType: 'json' success: success error: error diff --git a/lemonldap-ng-portal/site/htdocs/static/common/js/portal.js b/lemonldap-ng-portal/site/htdocs/static/common/js/portal.js index cdf84296af..b45f1027d3 100644 --- a/lemonldap-ng-portal/site/htdocs/static/common/js/portal.js +++ b/lemonldap-ng-portal/site/htdocs/static/common/js/portal.js @@ -79,10 +79,8 @@ LemonLDAP::NG Portal jQuery scripts e = function(j, s, e) { return alert(s + " " + e); }; - return delKey("_oidc_consent_time_" + partner, function() { - return delKey("_oidc_consent_scope_" + partner, function() { - return $("[partner='" + partner + "']").hide(); - }, e); + return delKey("_oidcConsents", partner, function() { + return $("[partner='" + partner + "']").hide(); }, e); }; @@ -110,7 +108,7 @@ LemonLDAP::NG Portal jQuery scripts }); }; - delKey = function(key, success, error) { + delKey = function(key, partner, success, error) { return $.ajax({ type: "GET", url: datas['scriptname'] + '/mysession/?gettoken', @@ -119,7 +117,7 @@ LemonLDAP::NG Portal jQuery scripts success: function(data) { return $.ajax({ type: "DELETE", - url: datas['scriptname'] + "/mysession/persistent/" + key + "?token=" + data.token, + url: datas['scriptname'] + "/mysession/persistent/" + key + "?option=" + partner + "&token=" + data.token, dataType: 'json', success: success, error: error diff --git a/lemonldap-ng-portal/site/htdocs/static/common/js/portal.min.js b/lemonldap-ng-portal/site/htdocs/static/common/js/portal.min.js index 934f15054d..862f96fd13 100644 --- a/lemonldap-ng-portal/site/htdocs/static/common/js/portal.min.js +++ b/lemonldap-ng-portal/site/htdocs/static/common/js/portal.min.js @@ -1 +1 @@ -(function(){var datas,delKey,getCookie,getValues,isHiddenFormValueSet,ping,removeOidcConsent,restoreOrder,setCookie,setKey,setOrder,setSelector,translate,translatePage,translationFields,indexOf=[].indexOf||function(item){for(var i=0,l=this.length;i div.category",update:function(){return setOrder()}});restoreOrder();$("div.message").fadeIn("slow");$("input[name=timezone]").val(-((new Date).getTimezoneOffset()/60));menuTabs=$("#menu").tabs({active:0});menuIndex=$('#menu a[href="#'+datas["displaytab"]+'"]').parent().index();if(menuIndex<0){menuIndex=0}menuTabs.tabs("option","active",menuIndex);authMenuTabs=$("#authMenu").tabs({active:0});if(datas["choicetab"]){authMenuTabs.tabs("option","active",$('#authMenu a[href="#'+datas["choicetab"]+'"]').parent().index())}if(datas["login"]){$("input[type=password]:first").focus()}else{$("input[type!=hidden]:first").focus()}if(datas["newwindow"]){$("#appslist a").attr("target","_blank")}if($("p.removeOther").length){action=$("form.login").attr("action");method=$("form.login").attr("method");back_url="";if(action.indexOf("?")!==-1){action.substring(0,action.indexOf("?"))+"?"}else{back_url=action+"?"}$("form.login input[type=hidden]").each(function(index){return back_url+="&"+$(this).attr("name")+"="+$(this).val()});link=$("p.removeOther a").attr("href")+"&method="+method+"&url="+btoa(back_url);$("p.removeOther a").attr("href",link)}lang=getCookie("llnglanguage");if(!lang){if(navigator){langs=[];langs2=[];nlangs=[navigator.language];if(navigator.languages){nlangs=navigator.languages}ref=window.availableLanguages;for(i=0,len=ref.length;i ';for(l=0,len1=nlangs.length;l '}$("#languages").html(langdiv);$(".langicon").on("click",function(){lang=$(this).attr("title");setCookie("llnglanguage",lang);return translatePage(lang)});if(datas["pingInterval"]&&datas["pingInterval"]>0){window.setTimeout(ping,datas["pingInterval"])}$(".localeDate").each(function(){var s;s=new Date($(this).attr("val")*1e3);return $(this).text(s.toLocaleString())});return $(".oidcConsent").on("click",function(){return removeOidcConsent($(this).attr("partner"))})})}).call(this); +(function(){var datas,delKey,getCookie,getValues,isHiddenFormValueSet,ping,removeOidcConsent,restoreOrder,setCookie,setKey,setOrder,setSelector,translate,translatePage,translationFields,indexOf=[].indexOf||function(item){for(var i=0,l=this.length;i div.category",update:function(){return setOrder()}});restoreOrder();$("div.message").fadeIn("slow");$("input[name=timezone]").val(-((new Date).getTimezoneOffset()/60));menuTabs=$("#menu").tabs({active:0});menuIndex=$('#menu a[href="#'+datas["displaytab"]+'"]').parent().index();if(menuIndex<0){menuIndex=0}menuTabs.tabs("option","active",menuIndex);authMenuTabs=$("#authMenu").tabs({active:0});if(datas["choicetab"]){authMenuTabs.tabs("option","active",$('#authMenu a[href="#'+datas["choicetab"]+'"]').parent().index())}if(datas["login"]){$("input[type=password]:first").focus()}else{$("input[type!=hidden]:first").focus()}if(datas["newwindow"]){$("#appslist a").attr("target","_blank")}if($("p.removeOther").length){action=$("form.login").attr("action");method=$("form.login").attr("method");back_url="";if(action.indexOf("?")!==-1){action.substring(0,action.indexOf("?"))+"?"}else{back_url=action+"?"}$("form.login input[type=hidden]").each(function(index){return back_url+="&"+$(this).attr("name")+"="+$(this).val()});link=$("p.removeOther a").attr("href")+"&method="+method+"&url="+btoa(back_url);$("p.removeOther a").attr("href",link)}lang=getCookie("llnglanguage");if(!lang){if(navigator){langs=[];langs2=[];nlangs=[navigator.language];if(navigator.languages){nlangs=navigator.languages}ref=window.availableLanguages;for(i=0,len=ref.length;i ';for(l=0,len1=nlangs.length;l '}$("#languages").html(langdiv);$(".langicon").on("click",function(){lang=$(this).attr("title");setCookie("llnglanguage",lang);return translatePage(lang)});if(datas["pingInterval"]&&datas["pingInterval"]>0){window.setTimeout(ping,datas["pingInterval"])}$(".localeDate").each(function(){var s;s=new Date($(this).attr("val")*1e3);return $(this).text(s.toLocaleString())});return $(".oidcConsent").on("click",function(){return removeOidcConsent($(this).attr("partner"))})})}).call(this); diff --git a/lemonldap-ng-portal/site/templates/bootstrap/oidcConsents.tpl b/lemonldap-ng-portal/site/templates/bootstrap/oidcConsents.tpl index 9304cceb49..cd09127684 100644 --- a/lemonldap-ng-portal/site/templates/bootstrap/oidcConsents.tpl +++ b/lemonldap-ng-portal/site/templates/bootstrap/oidcConsents.tpl @@ -11,7 +11,7 @@ "> - + -- GitLab From 8f202411c13232c6f8fe1d811ec4d87936732190 Mon Sep 17 00:00:00 2001 From: Christophe Maudoux Date: Mon, 16 Jul 2018 11:50:49 +0200 Subject: [PATCH 10/40] Fix typo --- .../lib/Lemonldap/NG/Portal.pm | 49 ++++++++++--------- 1 file changed, 25 insertions(+), 24 deletions(-) diff --git a/lemonldap-ng-portal/lib/Lemonldap/NG/Portal.pm b/lemonldap-ng-portal/lib/Lemonldap/NG/Portal.pm index b096959156..35234d33f5 100644 --- a/lemonldap-ng-portal/lib/Lemonldap/NG/Portal.pm +++ b/lemonldap-ng-portal/lib/Lemonldap/NG/Portal.pm @@ -32,11 +32,12 @@ Use any of Plack launcher. Example: =head1 DESCRIPTION Lemonldap::NG is a modular Web-SSO based on Apache::Session modules. It -simplifies the build of a protected area with a few changes in the application. +provides an easy way to build a secured area to protect applications with +very few changes. -It manages both authentication and authorization and provides headers for -accounting. So you can have a full AAA protection for your web space as -described below. +Lemonldap::NG manages both authentication and authorization. Furthermore +it provides headers for accounting. So you can have a full AAA protection +for your web space as described below. Lemonldap::NG::Portal provides portal components. See L for more. @@ -44,16 +45,16 @@ L for more. =head1 KINEMATICS The portal object is based on L: underlying -handler tries to authenticate user and then follow the routes (auth/unauth) -declared during initialization. +handler tries to authenticate user and follows initialized auth / unauth +routes. =head2 Initialization -The initialisation process subscribes portal to handler configuration reload and -ask for handler initialization (L). -So configuration read is triggered by handler at each reload. +Initialization process subscribes portal to handler configuration reload and +requests handler initialization (L). +So configuration is read by handler at each reload. -During configuration reload, every enabled components are loaded as plugins: +During configuration reload, each enabled components are loaded as plugins: =over @@ -65,7 +66,7 @@ During configuration reload, every enabled components are loaded as plugins: =back -init() is called for each plugin. If one plugin initialization fails (init() +init() is called for each plugin. If a plugin initialization fails (init() returns 0), the portal responds a 500 status code for each request. See L to see how to write modules. @@ -73,7 +74,7 @@ See L to see how to write modules. =head2 Main route The "/" route is declared in L. It points to -different methods in L. Theses methods choose +different methods in L. Theses methods select methods to call in the process and call do(). do() stores methods to call in $req->steps and launches @@ -81,18 +82,18 @@ Lemonldap::NG::Portal::Main::Process::process(). This method removes each method stored in $req->steps and launches it. If the result is PE_OK, process() continues, else it returns the error code. -If the request was an Ajax one, do() responds in JSON format else it manages -redirection if any. Else it calls -Lemonldap::NG::Portal::Main::Display::display() to have template and arguments, -then it launch Lemonldap::NG::Common::PSGI::sendHtml() with them. +If it is an Ajax request, do() responds in JSON format else it manages +redirection if any. Else it calls +Lemonldap::NG::Portal::Main::Display::display() to load template and arguments, +and launches Lemonldap::NG::Common::PSGI::sendHtml() using them. =head1 DEVELOPER INSTRUCTIONS Portal main object is defined in Lemonldap::NG::Portal::Main::* classes. Other -components are plugins. Plugins must not store any hash key in the main object. +components are plugins. Plugins do not have to store any hash key in main object. -Main and plugin keys must be initializated during initialization. They must -be read-only during receiving requests. +Main and plugin keys must be set during initialization process. They must +be read-only during requests receiving. The L request has fixed keys. A plugin that wants to store a temporary key must store it in C<$req-Edata> or use @@ -100,10 +101,11 @@ defined keys, but it must never create a root key. Plugin keys may have explicit names to avoid conflicts. Whole configuration is always available. It is stored in $self->conf. It must -not be modified by anyone even during initialization or receiving request -(during initialization, copy the value in the plugin namespace instead). +not be modified by any components even during initialization process or +receiving request (during initialization, copy the value in the plugin +namespace instead). -All plugins can dial with the portal methods using $self->p which points to +All plugins can access to portal methods using $self->p which points to portal main object. Some main methods are mapped to the plugin namespace: =over @@ -118,8 +120,7 @@ portal main object. Some main methods are mapped to the plugin namespace: =head1 SEE ALSO -Most of the documentation is available on the website -L +Most of the documentation is available on L website =head2 OTHER POD FILES -- GitLab From 3fbf577a2fcab572d5527fee590998e319cbbb48 Mon Sep 17 00:00:00 2001 From: Christophe Maudoux Date: Mon, 16 Jul 2018 22:17:23 +0200 Subject: [PATCH 11/40] WIP - Modify oidcConsents key structure --- .../Lemonldap/NG/Portal/Plugins/RESTServer.pm | 20 ++++++++++++++----- lemonldap-ng-portal/site/coffee/portal.coffee | 5 ++--- 2 files changed, 17 insertions(+), 8 deletions(-) diff --git a/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Plugins/RESTServer.pm b/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Plugins/RESTServer.pm index 955c714584..51c82251d4 100644 --- a/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Plugins/RESTServer.pm +++ b/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Plugins/RESTServer.pm @@ -404,9 +404,10 @@ sub updateMySession { sub delKeyInMySession { my ( $self, $req ) = @_; - my $res = 0; - my $mKeys = []; - my $dkey = $req->param('key'); + my $res = 0; + my $mKeys = []; + my $dkey = $req->param('key'); + my $option = $req->param('option'); if ( my $token = $req->param('token') ) { if ( $self->ott->getToken($token) ) { if ( $req->param('sessionType') eq 'persistent' ) { @@ -424,8 +425,17 @@ sub delKeyInMySession { } } if ($res) { - $self->p->updatePersistentSession( $req, - { $dkey => undef } ); + if ( $dkey !~ /^oidcConsents$/ ) { + $self->p->updatePersistentSession( $req, + { $dkey => undef } ) + } + elsif ( $dkey =~ /^oidcConsents$/ and defined $option ) { + $self->p->updatePersistentSession( $req, + { $dkey => { $option => undef } } ) + } + else { + $self->logger->error('Update session request with invalid option') + } } } } diff --git a/lemonldap-ng-portal/site/coffee/portal.coffee b/lemonldap-ng-portal/site/coffee/portal.coffee index 27abe7c9b6..6788a82913 100644 --- a/lemonldap-ng-portal/site/coffee/portal.coffee +++ b/lemonldap-ng-portal/site/coffee/portal.coffee @@ -111,7 +111,7 @@ setKey = (key,val,success,error) -> success: success error: error -delKey = (key,partner,success,error) -> +delKey = (key,option,success,error) -> $.ajax type: "GET" url: datas['scriptname'] + '/mysession/?gettoken' @@ -121,8 +121,7 @@ delKey = (key,partner,success,error) -> success: (data) -> $.ajax type: "DELETE" - url: "#{datas['scriptname']}/mysession/persistent/#{key}?option=#{partner}&token=#{data.token}" - #url: "#{datas['scriptname']}/mysession/persistent/#{key}?token=#{data.token}" + url: "#{datas['scriptname']}/mysession/persistent/#{key}?option=#{option}&token=#{data.token}" dataType: 'json' success: success error: error -- GitLab From 949200c6a06e98a6e2e2f5a29c197087bc34b0d0 Mon Sep 17 00:00:00 2001 From: Christophe Maudoux Date: Mon, 16 Jul 2018 22:34:11 +0200 Subject: [PATCH 12/40] WIP - Modify oidcConsents key structure(#1464) --- .../lib/Lemonldap/NG/Portal/Plugins/RESTServer.pm | 9 ++++++--- 1 file changed, 6 insertions(+), 3 deletions(-) diff --git a/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Plugins/RESTServer.pm b/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Plugins/RESTServer.pm index 51c82251d4..2d8271f9e2 100644 --- a/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Plugins/RESTServer.pm +++ b/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Plugins/RESTServer.pm @@ -351,7 +351,7 @@ sub mysession { sub getMyKey { my ( $self, $req, $key ) = @_; - $self->logger->debug('Request to get personal session info'); + $self->logger->debug("Request to get personal session info -> Key : $key"); return $self->session( $req, $req->userData->{_session_id}, @@ -384,6 +384,7 @@ sub updateMySession { push @$mKeys, $key; $self->p->updatePersistentSession( $req, { $key => $v } ); + $self->logger->debug("Request to update session -> Key : $key"); } } } @@ -427,11 +428,13 @@ sub delKeyInMySession { if ($res) { if ( $dkey !~ /^oidcConsents$/ ) { $self->p->updatePersistentSession( $req, - { $dkey => undef } ) + { $dkey => undef } ); + $self->logger->debug("Update session -> delete Key : $dkey"); } elsif ( $dkey =~ /^oidcConsents$/ and defined $option ) { $self->p->updatePersistentSession( $req, - { $dkey => { $option => undef } } ) + { $dkey => { $option => undef } } ); + $self->logger->debug("Update session -> delete Key : $dkey with Option : $option"); } else { $self->logger->error('Update session request with invalid option') -- GitLab From 96912d9c27a492e79de87c70a2ca14cf2184e30f Mon Sep 17 00:00:00 2001 From: Christophe Maudoux Date: Mon, 16 Jul 2018 22:47:36 +0200 Subject: [PATCH 13/40] WIP - Modify oidcConsents key structure (#1464) --- .../lib/Lemonldap/NG/Portal/Plugins/RESTServer.pm | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Plugins/RESTServer.pm b/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Plugins/RESTServer.pm index 2d8271f9e2..8a1ba2ba95 100644 --- a/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Plugins/RESTServer.pm +++ b/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Plugins/RESTServer.pm @@ -426,12 +426,12 @@ sub delKeyInMySession { } } if ($res) { - if ( $dkey !~ /^oidcConsents$/ ) { + if ( $dkey !~ /^_oidcConsents$/ ) { $self->p->updatePersistentSession( $req, { $dkey => undef } ); $self->logger->debug("Update session -> delete Key : $dkey"); } - elsif ( $dkey =~ /^oidcConsents$/ and defined $option ) { + elsif ( $dkey =~ /^_oidcConsents$/ and defined $option ) { $self->p->updatePersistentSession( $req, { $dkey => { $option => undef } } ); $self->logger->debug("Update session -> delete Key : $dkey with Option : $option"); -- GitLab From eff809424c1156f1395a4e248c1ab89c55ec92ff Mon Sep 17 00:00:00 2001 From: Christophe Maudoux Date: Mon, 16 Jul 2018 22:56:43 +0200 Subject: [PATCH 14/40] Modify oidcConsents key structure (#1464) - perltidy --- .../Lemonldap/NG/Portal/Plugins/RESTServer.pm | 31 +++++++++++-------- 1 file changed, 18 insertions(+), 13 deletions(-) diff --git a/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Plugins/RESTServer.pm b/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Plugins/RESTServer.pm index 8a1ba2ba95..25a3648e4f 100644 --- a/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Plugins/RESTServer.pm +++ b/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Plugins/RESTServer.pm @@ -384,7 +384,8 @@ sub updateMySession { push @$mKeys, $key; $self->p->updatePersistentSession( $req, { $key => $v } ); - $self->logger->debug("Request to update session -> Key : $key"); + $self->logger->debug( + "Request to update session -> Key : $key"); } } } @@ -426,19 +427,23 @@ sub delKeyInMySession { } } if ($res) { - if ( $dkey !~ /^_oidcConsents$/ ) { - $self->p->updatePersistentSession( $req, - { $dkey => undef } ); - $self->logger->debug("Update session -> delete Key : $dkey"); - } + if ( $dkey !~ /^_oidcConsents$/ ) { + $self->p->updatePersistentSession( $req, + { $dkey => undef } ); + $self->logger->debug( + "Update session -> delete Key : $dkey"); + } elsif ( $dkey =~ /^_oidcConsents$/ and defined $option ) { - $self->p->updatePersistentSession( $req, - { $dkey => { $option => undef } } ); - $self->logger->debug("Update session -> delete Key : $dkey with Option : $option"); - } - else { - $self->logger->error('Update session request with invalid option') - } + $self->p->updatePersistentSession( $req, + { $dkey => { $option => undef } } ); + $self->logger->debug( +"Update session -> delete Key : $dkey with Option : $option" + ); + } + else { + $self->logger->error( + 'Update session request with invalid Key or Option'); + } } } } -- GitLab From 72920d1ede2add0a445591846fb9f7712bf9aba9 Mon Sep 17 00:00:00 2001 From: Christophe Maudoux Date: Mon, 16 Jul 2018 23:00:44 +0200 Subject: [PATCH 15/40] Modify oidcConsents key structure (#1464) - perltidy --- .../NG/Portal/Issuer/OpenIDConnect.pm | 22 +++++++++---------- .../Lemonldap/NG/Portal/Plugins/RESTServer.pm | 3 ++- lemonldap-ng-portal/site/coffee/portal.coffee | 10 --------- 3 files changed, 13 insertions(+), 22 deletions(-) diff --git a/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Issuer/OpenIDConnect.pm b/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Issuer/OpenIDConnect.pm index 7679698a9b..8783c4842f 100644 --- a/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Issuer/OpenIDConnect.pm +++ b/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Issuer/OpenIDConnect.pm @@ -437,17 +437,17 @@ sub run { if ( $req->param('confirm') and $req->param('confirm') == 1 ) { - ############ - $self->p->updatePersistentSession( $req, - { "_oidc_consent_time_$rp" => time } ); - $self->p->updatePersistentSession( - $req, - { - "_oidc_consent_scope_$rp" => - $oidc_request->{'scope'} - } - ); - ############ + ############# + #$self->p->updatePersistentSession( $req, + #{ "_oidc_consent_time_$rp" => time } ); + #$self->p->updatePersistentSession( + #$req, + #{ + #"_oidc_consent_scope_$rp" => + #$oidc_request->{'scope'} + #} + #); + ############# $RPoidcConsent[0]{epoch} = time; $RPoidcConsent[0]{scope} = $oidc_request->{'scope'}; push @{$_oidcConsents}, @RPoidcConsent; diff --git a/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Plugins/RESTServer.pm b/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Plugins/RESTServer.pm index 25a3648e4f..4df5fe4010 100644 --- a/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Plugins/RESTServer.pm +++ b/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Plugins/RESTServer.pm @@ -442,7 +442,8 @@ sub delKeyInMySession { } else { $self->logger->error( - 'Update session request with invalid Key or Option'); + 'Update session request with invalid Key or Option' + ); } } } diff --git a/lemonldap-ng-portal/site/coffee/portal.coffee b/lemonldap-ng-portal/site/coffee/portal.coffee index 6788a82913..d04cfa1099 100644 --- a/lemonldap-ng-portal/site/coffee/portal.coffee +++ b/lemonldap-ng-portal/site/coffee/portal.coffee @@ -71,16 +71,6 @@ removeOidcConsent = (partner) -> # alert "#{s} #{e}" e = (j,s,e) -> alert "#{s} #{e}" - #delKey "_oidc_consent_time_#{partner}" - ## Success - #, () -> - #delKey "_oidc_consent_scope_#{partner}" - ## Success - #, () -> - #$("[partner='#{partner}']").hide() - ## Error - #, e - #, e delKey "_oidcConsents",partner # Success , () -> -- GitLab From e1917a59def0ea5ec1e932295bd4974ee239d84d Mon Sep 17 00:00:00 2001 From: Christophe Maudoux Date: Tue, 17 Jul 2018 18:15:17 +0200 Subject: [PATCH 16/40] Delete revoked consents (#1464) --- .../lib/Lemonldap/NG/Portal/Issuer/OpenIDConnect.pm | 5 ++++- .../lib/Lemonldap/NG/Portal/Plugins/RESTServer.pm | 8 ++++---- lemonldap-ng-portal/site/coffee/portal.coffee | 4 ++-- .../site/htdocs/static/common/js/portal.js | 4 ++-- .../site/htdocs/static/common/js/portal.min.js | 2 +- 5 files changed, 13 insertions(+), 10 deletions(-) diff --git a/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Issuer/OpenIDConnect.pm b/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Issuer/OpenIDConnect.pm index 8783c4842f..c81a2d2501 100644 --- a/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Issuer/OpenIDConnect.pm +++ b/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Issuer/OpenIDConnect.pm @@ -392,7 +392,10 @@ sub run { $_oidcConsents = []; } - # Reading existing RP + # Exclude revoked consents + @$_oidcConsents = map ( { defined $_->{rp} } @$_oidcConsents ); + + # Read existing RP @RPoidcConsent = grep { $_->{rp} eq $rp } @$_oidcConsents; unless (@RPoidcConsent) { $self->logger->debug("No Relying Party $rp Consent found"); diff --git a/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Plugins/RESTServer.pm b/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Plugins/RESTServer.pm index 4df5fe4010..5a61a06cb9 100644 --- a/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Plugins/RESTServer.pm +++ b/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Plugins/RESTServer.pm @@ -409,7 +409,7 @@ sub delKeyInMySession { my $res = 0; my $mKeys = []; my $dkey = $req->param('key'); - my $option = $req->param('option'); + my $sub = $req->param('sub'); if ( my $token = $req->param('token') ) { if ( $self->ott->getToken($token) ) { if ( $req->param('sessionType') eq 'persistent' ) { @@ -433,11 +433,11 @@ sub delKeyInMySession { $self->logger->debug( "Update session -> delete Key : $dkey"); } - elsif ( $dkey =~ /^_oidcConsents$/ and defined $option ) { + elsif ( $dkey =~ /^_oidcConsents$/ and defined $sub ) { $self->p->updatePersistentSession( $req, - { $dkey => { $option => undef } } ); + { $dkey => { $sub => undef } } ); $self->logger->debug( -"Update session -> delete Key : $dkey with Option : $option" +"Update session -> delete Key : $dkey with Option : $sub" ); } else { diff --git a/lemonldap-ng-portal/site/coffee/portal.coffee b/lemonldap-ng-portal/site/coffee/portal.coffee index d04cfa1099..33f29a18e2 100644 --- a/lemonldap-ng-portal/site/coffee/portal.coffee +++ b/lemonldap-ng-portal/site/coffee/portal.coffee @@ -101,7 +101,7 @@ setKey = (key,val,success,error) -> success: success error: error -delKey = (key,option,success,error) -> +delKey = (key,sub,success,error) -> $.ajax type: "GET" url: datas['scriptname'] + '/mysession/?gettoken' @@ -111,7 +111,7 @@ delKey = (key,option,success,error) -> success: (data) -> $.ajax type: "DELETE" - url: "#{datas['scriptname']}/mysession/persistent/#{key}?option=#{option}&token=#{data.token}" + url: "#{datas['scriptname']}/mysession/persistent/#{key}?sub=#{sub}&token=#{data.token}" dataType: 'json' success: success error: error diff --git a/lemonldap-ng-portal/site/htdocs/static/common/js/portal.js b/lemonldap-ng-portal/site/htdocs/static/common/js/portal.js index b45f1027d3..540e299dbe 100644 --- a/lemonldap-ng-portal/site/htdocs/static/common/js/portal.js +++ b/lemonldap-ng-portal/site/htdocs/static/common/js/portal.js @@ -108,7 +108,7 @@ LemonLDAP::NG Portal jQuery scripts }); }; - delKey = function(key, partner, success, error) { + delKey = function(key, option, success, error) { return $.ajax({ type: "GET", url: datas['scriptname'] + '/mysession/?gettoken', @@ -117,7 +117,7 @@ LemonLDAP::NG Portal jQuery scripts success: function(data) { return $.ajax({ type: "DELETE", - url: datas['scriptname'] + "/mysession/persistent/" + key + "?option=" + partner + "&token=" + data.token, + url: datas['scriptname'] + "/mysession/persistent/" + key + "?option=" + option + "&token=" + data.token, dataType: 'json', success: success, error: error diff --git a/lemonldap-ng-portal/site/htdocs/static/common/js/portal.min.js b/lemonldap-ng-portal/site/htdocs/static/common/js/portal.min.js index 862f96fd13..dcb972f275 100644 --- a/lemonldap-ng-portal/site/htdocs/static/common/js/portal.min.js +++ b/lemonldap-ng-portal/site/htdocs/static/common/js/portal.min.js @@ -1 +1 @@ -(function(){var datas,delKey,getCookie,getValues,isHiddenFormValueSet,ping,removeOidcConsent,restoreOrder,setCookie,setKey,setOrder,setSelector,translate,translatePage,translationFields,indexOf=[].indexOf||function(item){for(var i=0,l=this.length;i div.category",update:function(){return setOrder()}});restoreOrder();$("div.message").fadeIn("slow");$("input[name=timezone]").val(-((new Date).getTimezoneOffset()/60));menuTabs=$("#menu").tabs({active:0});menuIndex=$('#menu a[href="#'+datas["displaytab"]+'"]').parent().index();if(menuIndex<0){menuIndex=0}menuTabs.tabs("option","active",menuIndex);authMenuTabs=$("#authMenu").tabs({active:0});if(datas["choicetab"]){authMenuTabs.tabs("option","active",$('#authMenu a[href="#'+datas["choicetab"]+'"]').parent().index())}if(datas["login"]){$("input[type=password]:first").focus()}else{$("input[type!=hidden]:first").focus()}if(datas["newwindow"]){$("#appslist a").attr("target","_blank")}if($("p.removeOther").length){action=$("form.login").attr("action");method=$("form.login").attr("method");back_url="";if(action.indexOf("?")!==-1){action.substring(0,action.indexOf("?"))+"?"}else{back_url=action+"?"}$("form.login input[type=hidden]").each(function(index){return back_url+="&"+$(this).attr("name")+"="+$(this).val()});link=$("p.removeOther a").attr("href")+"&method="+method+"&url="+btoa(back_url);$("p.removeOther a").attr("href",link)}lang=getCookie("llnglanguage");if(!lang){if(navigator){langs=[];langs2=[];nlangs=[navigator.language];if(navigator.languages){nlangs=navigator.languages}ref=window.availableLanguages;for(i=0,len=ref.length;i ';for(l=0,len1=nlangs.length;l '}$("#languages").html(langdiv);$(".langicon").on("click",function(){lang=$(this).attr("title");setCookie("llnglanguage",lang);return translatePage(lang)});if(datas["pingInterval"]&&datas["pingInterval"]>0){window.setTimeout(ping,datas["pingInterval"])}$(".localeDate").each(function(){var s;s=new Date($(this).attr("val")*1e3);return $(this).text(s.toLocaleString())});return $(".oidcConsent").on("click",function(){return removeOidcConsent($(this).attr("partner"))})})}).call(this); +(function(){var datas,delKey,getCookie,getValues,isHiddenFormValueSet,ping,removeOidcConsent,restoreOrder,setCookie,setKey,setOrder,setSelector,translate,translatePage,translationFields,indexOf=[].indexOf||function(item){for(var i=0,l=this.length;i div.category",update:function(){return setOrder()}});restoreOrder();$("div.message").fadeIn("slow");$("input[name=timezone]").val(-((new Date).getTimezoneOffset()/60));menuTabs=$("#menu").tabs({active:0});menuIndex=$('#menu a[href="#'+datas["displaytab"]+'"]').parent().index();if(menuIndex<0){menuIndex=0}menuTabs.tabs("option","active",menuIndex);authMenuTabs=$("#authMenu").tabs({active:0});if(datas["choicetab"]){authMenuTabs.tabs("option","active",$('#authMenu a[href="#'+datas["choicetab"]+'"]').parent().index())}if(datas["login"]){$("input[type=password]:first").focus()}else{$("input[type!=hidden]:first").focus()}if(datas["newwindow"]){$("#appslist a").attr("target","_blank")}if($("p.removeOther").length){action=$("form.login").attr("action");method=$("form.login").attr("method");back_url="";if(action.indexOf("?")!==-1){action.substring(0,action.indexOf("?"))+"?"}else{back_url=action+"?"}$("form.login input[type=hidden]").each(function(index){return back_url+="&"+$(this).attr("name")+"="+$(this).val()});link=$("p.removeOther a").attr("href")+"&method="+method+"&url="+btoa(back_url);$("p.removeOther a").attr("href",link)}lang=getCookie("llnglanguage");if(!lang){if(navigator){langs=[];langs2=[];nlangs=[navigator.language];if(navigator.languages){nlangs=navigator.languages}ref=window.availableLanguages;for(i=0,len=ref.length;i ';for(l=0,len1=nlangs.length;l '}$("#languages").html(langdiv);$(".langicon").on("click",function(){lang=$(this).attr("title");setCookie("llnglanguage",lang);return translatePage(lang)});if(datas["pingInterval"]&&datas["pingInterval"]>0){window.setTimeout(ping,datas["pingInterval"])}$(".localeDate").each(function(){var s;s=new Date($(this).attr("val")*1e3);return $(this).text(s.toLocaleString())});return $(".oidcConsent").on("click",function(){return removeOidcConsent($(this).attr("partner"))})})}).call(this); -- GitLab From da44a7c83e4bee2fc3c6c6b86d9f7d4470f1e589 Mon Sep 17 00:00:00 2001 From: Christophe Maudoux Date: Tue, 17 Jul 2018 18:18:50 +0200 Subject: [PATCH 17/40] perltidy (#1464) --- .../lib/Lemonldap/NG/Portal/Issuer/OpenIDConnect.pm | 2 +- .../lib/Lemonldap/NG/Portal/Plugins/RESTServer.pm | 8 ++++---- .../site/htdocs/static/common/js/portal.js | 4 ++-- .../site/htdocs/static/common/js/portal.min.js | 2 +- 4 files changed, 8 insertions(+), 8 deletions(-) diff --git a/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Issuer/OpenIDConnect.pm b/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Issuer/OpenIDConnect.pm index c81a2d2501..be6d868c22 100644 --- a/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Issuer/OpenIDConnect.pm +++ b/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Issuer/OpenIDConnect.pm @@ -394,7 +394,7 @@ sub run { # Exclude revoked consents @$_oidcConsents = map ( { defined $_->{rp} } @$_oidcConsents ); - + # Read existing RP @RPoidcConsent = grep { $_->{rp} eq $rp } @$_oidcConsents; unless (@RPoidcConsent) { diff --git a/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Plugins/RESTServer.pm b/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Plugins/RESTServer.pm index 5a61a06cb9..eead294e0d 100644 --- a/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Plugins/RESTServer.pm +++ b/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Plugins/RESTServer.pm @@ -406,10 +406,10 @@ sub updateMySession { sub delKeyInMySession { my ( $self, $req ) = @_; - my $res = 0; - my $mKeys = []; - my $dkey = $req->param('key'); - my $sub = $req->param('sub'); + my $res = 0; + my $mKeys = []; + my $dkey = $req->param('key'); + my $sub = $req->param('sub'); if ( my $token = $req->param('token') ) { if ( $self->ott->getToken($token) ) { if ( $req->param('sessionType') eq 'persistent' ) { diff --git a/lemonldap-ng-portal/site/htdocs/static/common/js/portal.js b/lemonldap-ng-portal/site/htdocs/static/common/js/portal.js index 540e299dbe..8cda5be9de 100644 --- a/lemonldap-ng-portal/site/htdocs/static/common/js/portal.js +++ b/lemonldap-ng-portal/site/htdocs/static/common/js/portal.js @@ -108,7 +108,7 @@ LemonLDAP::NG Portal jQuery scripts }); }; - delKey = function(key, option, success, error) { + delKey = function(key, sub, success, error) { return $.ajax({ type: "GET", url: datas['scriptname'] + '/mysession/?gettoken', @@ -117,7 +117,7 @@ LemonLDAP::NG Portal jQuery scripts success: function(data) { return $.ajax({ type: "DELETE", - url: datas['scriptname'] + "/mysession/persistent/" + key + "?option=" + option + "&token=" + data.token, + url: datas['scriptname'] + "/mysession/persistent/" + key + "?sub=" + sub + "&token=" + data.token, dataType: 'json', success: success, error: error diff --git a/lemonldap-ng-portal/site/htdocs/static/common/js/portal.min.js b/lemonldap-ng-portal/site/htdocs/static/common/js/portal.min.js index dcb972f275..90fa6cedf4 100644 --- a/lemonldap-ng-portal/site/htdocs/static/common/js/portal.min.js +++ b/lemonldap-ng-portal/site/htdocs/static/common/js/portal.min.js @@ -1 +1 @@ -(function(){var datas,delKey,getCookie,getValues,isHiddenFormValueSet,ping,removeOidcConsent,restoreOrder,setCookie,setKey,setOrder,setSelector,translate,translatePage,translationFields,indexOf=[].indexOf||function(item){for(var i=0,l=this.length;i div.category",update:function(){return setOrder()}});restoreOrder();$("div.message").fadeIn("slow");$("input[name=timezone]").val(-((new Date).getTimezoneOffset()/60));menuTabs=$("#menu").tabs({active:0});menuIndex=$('#menu a[href="#'+datas["displaytab"]+'"]').parent().index();if(menuIndex<0){menuIndex=0}menuTabs.tabs("option","active",menuIndex);authMenuTabs=$("#authMenu").tabs({active:0});if(datas["choicetab"]){authMenuTabs.tabs("option","active",$('#authMenu a[href="#'+datas["choicetab"]+'"]').parent().index())}if(datas["login"]){$("input[type=password]:first").focus()}else{$("input[type!=hidden]:first").focus()}if(datas["newwindow"]){$("#appslist a").attr("target","_blank")}if($("p.removeOther").length){action=$("form.login").attr("action");method=$("form.login").attr("method");back_url="";if(action.indexOf("?")!==-1){action.substring(0,action.indexOf("?"))+"?"}else{back_url=action+"?"}$("form.login input[type=hidden]").each(function(index){return back_url+="&"+$(this).attr("name")+"="+$(this).val()});link=$("p.removeOther a").attr("href")+"&method="+method+"&url="+btoa(back_url);$("p.removeOther a").attr("href",link)}lang=getCookie("llnglanguage");if(!lang){if(navigator){langs=[];langs2=[];nlangs=[navigator.language];if(navigator.languages){nlangs=navigator.languages}ref=window.availableLanguages;for(i=0,len=ref.length;i ';for(l=0,len1=nlangs.length;l '}$("#languages").html(langdiv);$(".langicon").on("click",function(){lang=$(this).attr("title");setCookie("llnglanguage",lang);return translatePage(lang)});if(datas["pingInterval"]&&datas["pingInterval"]>0){window.setTimeout(ping,datas["pingInterval"])}$(".localeDate").each(function(){var s;s=new Date($(this).attr("val")*1e3);return $(this).text(s.toLocaleString())});return $(".oidcConsent").on("click",function(){return removeOidcConsent($(this).attr("partner"))})})}).call(this); +(function(){var datas,delKey,getCookie,getValues,isHiddenFormValueSet,ping,removeOidcConsent,restoreOrder,setCookie,setKey,setOrder,setSelector,translate,translatePage,translationFields,indexOf=[].indexOf||function(item){for(var i=0,l=this.length;i div.category",update:function(){return setOrder()}});restoreOrder();$("div.message").fadeIn("slow");$("input[name=timezone]").val(-((new Date).getTimezoneOffset()/60));menuTabs=$("#menu").tabs({active:0});menuIndex=$('#menu a[href="#'+datas["displaytab"]+'"]').parent().index();if(menuIndex<0){menuIndex=0}menuTabs.tabs("option","active",menuIndex);authMenuTabs=$("#authMenu").tabs({active:0});if(datas["choicetab"]){authMenuTabs.tabs("option","active",$('#authMenu a[href="#'+datas["choicetab"]+'"]').parent().index())}if(datas["login"]){$("input[type=password]:first").focus()}else{$("input[type!=hidden]:first").focus()}if(datas["newwindow"]){$("#appslist a").attr("target","_blank")}if($("p.removeOther").length){action=$("form.login").attr("action");method=$("form.login").attr("method");back_url="";if(action.indexOf("?")!==-1){action.substring(0,action.indexOf("?"))+"?"}else{back_url=action+"?"}$("form.login input[type=hidden]").each(function(index){return back_url+="&"+$(this).attr("name")+"="+$(this).val()});link=$("p.removeOther a").attr("href")+"&method="+method+"&url="+btoa(back_url);$("p.removeOther a").attr("href",link)}lang=getCookie("llnglanguage");if(!lang){if(navigator){langs=[];langs2=[];nlangs=[navigator.language];if(navigator.languages){nlangs=navigator.languages}ref=window.availableLanguages;for(i=0,len=ref.length;i ';for(l=0,len1=nlangs.length;l '}$("#languages").html(langdiv);$(".langicon").on("click",function(){lang=$(this).attr("title");setCookie("llnglanguage",lang);return translatePage(lang)});if(datas["pingInterval"]&&datas["pingInterval"]>0){window.setTimeout(ping,datas["pingInterval"])}$(".localeDate").each(function(){var s;s=new Date($(this).attr("val")*1e3);return $(this).text(s.toLocaleString())});return $(".oidcConsent").on("click",function(){return removeOidcConsent($(this).attr("partner"))})})}).call(this); -- GitLab From 344c7a644f536ec5991de0401086c68dae12d5ef Mon Sep 17 00:00:00 2001 From: Christophe Maudoux Date: Tue, 17 Jul 2018 19:12:35 +0200 Subject: [PATCH 18/40] WIP - Delete revoked consents (#1464) --- .../NG/Portal/Issuer/OpenIDConnect.pm | 18 ++++++++++++++---- 1 file changed, 14 insertions(+), 4 deletions(-) diff --git a/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Issuer/OpenIDConnect.pm b/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Issuer/OpenIDConnect.pm index be6d868c22..a327a4a6c3 100644 --- a/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Issuer/OpenIDConnect.pm +++ b/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Issuer/OpenIDConnect.pm @@ -391,10 +391,20 @@ sub run { $self->logger->debug("No OIDC Consent found"); $_oidcConsents = []; } - - # Exclude revoked consents - @$_oidcConsents = map ( { defined $_->{rp} } @$_oidcConsents ); - + + ############ + ### Exclude revoked consents + #my @keep = (); + #while (@$_oidcConsents) { + #my $element = shift @$_oidcConsents; + #$self->logger->debug("Looking for revoked consents to delete ..."); + #push @keep, $element if ( defined $element->{rp} and defined $element->{epoch} and defined $element->{scope} ); + #} + #@$_oidcConsents = @keep; + + ############ + + # Read existing RP @RPoidcConsent = grep { $_->{rp} eq $rp } @$_oidcConsents; unless (@RPoidcConsent) { -- GitLab From d269db6346aa61c1a4d934537972c94544b2e59c Mon Sep 17 00:00:00 2001 From: Christophe Maudoux Date: Tue, 17 Jul 2018 21:36:51 +0200 Subject: [PATCH 19/40] WIP - Delete revoked consents (#1464) --- .../lib/Lemonldap/NG/Portal/Issuer/OpenIDConnect.pm | 2 +- .../lib/Lemonldap/NG/Portal/Plugins/RESTServer.pm | 6 +++--- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Issuer/OpenIDConnect.pm b/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Issuer/OpenIDConnect.pm index a327a4a6c3..5c09d1b84a 100644 --- a/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Issuer/OpenIDConnect.pm +++ b/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Issuer/OpenIDConnect.pm @@ -1,7 +1,7 @@ package Lemonldap::NG::Portal::Issuer::OpenIDConnect; use strict; -use JSON; +use JSON qw(from_json to_json); use Mouse; use Lemonldap::NG::Common::FormEncode; use Lemonldap::NG::Portal::Main::Constants qw( diff --git a/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Plugins/RESTServer.pm b/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Plugins/RESTServer.pm index eead294e0d..b82eca4f66 100644 --- a/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Plugins/RESTServer.pm +++ b/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Plugins/RESTServer.pm @@ -434,10 +434,10 @@ sub delKeyInMySession { "Update session -> delete Key : $dkey"); } elsif ( $dkey =~ /^_oidcConsents$/ and defined $sub ) { - $self->p->updatePersistentSession( $req, - { $dkey => { $sub => undef } } ); + $tof = $req->userData->{ $self->conf->{whatToTrace} }; + $self->p->updatePersistentSession( $req, { $dkey => 'TOF' } ); $self->logger->debug( -"Update session -> delete Key : $dkey with Option : $sub" +"Update session -> delete Key : $dkey with Option : $sub & TOTOF = $tof" ); } else { -- GitLab From 0bbcf4a6cc728ba400896a28486b4caee0d72cdd Mon Sep 17 00:00:00 2001 From: Christophe Maudoux Date: Tue, 17 Jul 2018 21:44:13 +0200 Subject: [PATCH 20/40] WIP - Delete revoked consents (#1464) --- .../lib/Lemonldap/NG/Portal/Plugins/RESTServer.pm | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Plugins/RESTServer.pm b/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Plugins/RESTServer.pm index b82eca4f66..e6d23ff3d3 100644 --- a/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Plugins/RESTServer.pm +++ b/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Plugins/RESTServer.pm @@ -351,7 +351,7 @@ sub mysession { sub getMyKey { my ( $self, $req, $key ) = @_; - $self->logger->debug("Request to get personal session info -> Key : $key"); + #$self->logger->debug("Request to get personal session info -> Key : $key"); return $self->session( $req, $req->userData->{_session_id}, @@ -434,7 +434,7 @@ sub delKeyInMySession { "Update session -> delete Key : $dkey"); } elsif ( $dkey =~ /^_oidcConsents$/ and defined $sub ) { - $tof = $req->userData->{ $self->conf->{whatToTrace} }; + my $tof = $req->userData->{ $self->conf->{whatToTrace} }; $self->p->updatePersistentSession( $req, { $dkey => 'TOF' } ); $self->logger->debug( "Update session -> delete Key : $dkey with Option : $sub & TOTOF = $tof" -- GitLab From 6a64f87ccc7a7c7dc9a0381b4e4c3ad351a989e7 Mon Sep 17 00:00:00 2001 From: Christophe Maudoux Date: Tue, 17 Jul 2018 21:59:07 +0200 Subject: [PATCH 21/40] WIP - Delete revoked consents (#1464) --- .../lib/Lemonldap/NG/Portal/Plugins/RESTServer.pm | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Plugins/RESTServer.pm b/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Plugins/RESTServer.pm index e6d23ff3d3..9e4f3a270b 100644 --- a/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Plugins/RESTServer.pm +++ b/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Plugins/RESTServer.pm @@ -437,12 +437,12 @@ sub delKeyInMySession { my $tof = $req->userData->{ $self->conf->{whatToTrace} }; $self->p->updatePersistentSession( $req, { $dkey => 'TOF' } ); $self->logger->debug( -"Update session -> delete Key : $dkey with Option : $sub & TOTOF = $tof" +"Update session -> delete Key : $dkey with Sub : $sub & TOTOF = $tof" ); } else { $self->logger->error( - 'Update session request with invalid Key or Option' + 'Update session request with invalid Key or Sub' ); } } -- GitLab From e3197a5226f056f852228f094b7aa2e388f2c2ca Mon Sep 17 00:00:00 2001 From: Christophe Maudoux Date: Tue, 17 Jul 2018 22:17:45 +0200 Subject: [PATCH 22/40] WIP - Delete revoked consents (#1464) --- .../Lemonldap/NG/Portal/Plugins/RESTServer.pm | 38 ++++++++++++++++--- 1 file changed, 33 insertions(+), 5 deletions(-) diff --git a/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Plugins/RESTServer.pm b/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Plugins/RESTServer.pm index 9e4f3a270b..fae7ec0463 100644 --- a/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Plugins/RESTServer.pm +++ b/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Plugins/RESTServer.pm @@ -351,6 +351,7 @@ sub mysession { sub getMyKey { my ( $self, $req, $key ) = @_; + #$self->logger->debug("Request to get personal session info -> Key : $key"); return $self->session( $req, @@ -434,16 +435,43 @@ sub delKeyInMySession { "Update session -> delete Key : $dkey"); } elsif ( $dkey =~ /^_oidcConsents$/ and defined $sub ) { - my $tof = $req->userData->{ $self->conf->{whatToTrace} }; - $self->p->updatePersistentSession( $req, { $dkey => 'TOF' } ); + + # Read existing oidcConsents + $self->logger->debug("Looking for OIDC Consents ..."); + my $_oidcConsents; + if ( $req->userData->{_oidcConsents} ) { + $_oidcConsents = eval { + from_json( $req->userData->{_oidcConsents}, + { allow_nonref => 1 } ); + }; + if ($@) { + $self->logger->error( + "Corrupted session (_oidcConsents): $@"); + return $self->p->sendError( $req, + "Corrupted session", 500 ); + } + } + else { + $self->logger->debug("No OIDC Consents found"); + $_oidcConsents = []; + } + my @keep = (); + while (@$_oidcConsents) { + my $element = shift @$_oidcConsents; + $self->logger->debug( + "Looking for OIDC Consent to delete ..."); + push @keep, $element + unless ( $element->{rp} eq $sub ); + } + $self->p->updatePersistentSession( $req, + { _oidcConsents => to_json( \@keep ) } ); $self->logger->debug( -"Update session -> delete Key : $dkey with Sub : $sub & TOTOF = $tof" +"Update session -> delete Key : $dkey with Sub : $sub" ); } else { $self->logger->error( - 'Update session request with invalid Key or Sub' - ); + 'Update session request with invalid Key or Sub'); } } } -- GitLab From cdd6aab89bfc2ad1de3039f9bc0bfeabad603c3d Mon Sep 17 00:00:00 2001 From: Christophe Maudoux Date: Tue, 17 Jul 2018 22:28:39 +0200 Subject: [PATCH 23/40] WIP - Delete revoked consents (#1464) --- .../lib/Lemonldap/NG/Portal/Plugins/RESTServer.pm | 1 + 1 file changed, 1 insertion(+) diff --git a/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Plugins/RESTServer.pm b/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Plugins/RESTServer.pm index fae7ec0463..b4266eef8e 100644 --- a/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Plugins/RESTServer.pm +++ b/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Plugins/RESTServer.pm @@ -45,6 +45,7 @@ package Lemonldap::NG::Portal::Plugins::RESTServer; use strict; use Mouse; +use JSON qw(from_json to_json); use MIME::Base64; our $VERSION = '2.0.0'; -- GitLab From ded9393da438665dfa48f7085c7b05789735eed7 Mon Sep 17 00:00:00 2001 From: Christophe Maudoux Date: Tue, 17 Jul 2018 22:38:01 +0200 Subject: [PATCH 24/40] Delete revoked consents (#1464) --- .../lib/Lemonldap/NG/Portal/2F/Register/U2F.pm | 3 --- .../lib/Lemonldap/NG/Portal/Plugins/RESTServer.pm | 6 +++--- 2 files changed, 3 insertions(+), 6 deletions(-) diff --git a/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/2F/Register/U2F.pm b/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/2F/Register/U2F.pm index ace9c3933c..609b17b674 100644 --- a/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/2F/Register/U2F.pm +++ b/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/2F/Register/U2F.pm @@ -178,9 +178,6 @@ sub run { foreach ( @{ $req->data->{crypter} } ) { my $k = push @rk, { keyHandle => $_->{keyHandle}, version => $data->{version} }; - - #{ keyHandle => $_->{keyHandle}, version => $challenge->{version} }; - } # Serialize data diff --git a/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Plugins/RESTServer.pm b/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Plugins/RESTServer.pm index b4266eef8e..6093673e11 100644 --- a/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Plugins/RESTServer.pm +++ b/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Plugins/RESTServer.pm @@ -352,8 +352,8 @@ sub mysession { sub getMyKey { my ( $self, $req, $key ) = @_; - - #$self->logger->debug("Request to get personal session info -> Key : $key"); + $key ||= ''; + $self->logger->debug("Request to get personal session info -> Key : $key"); return $self->session( $req, $req->userData->{_session_id}, @@ -453,7 +453,7 @@ sub delKeyInMySession { } } else { - $self->logger->debug("No OIDC Consents found"); + $self->logger->debug("No OIDC Consent found"); $_oidcConsents = []; } my @keep = (); -- GitLab From db4f2b318292724a6647b4e037a033ab781815a6 Mon Sep 17 00:00:00 2001 From: Christophe Maudoux Date: Tue, 17 Jul 2018 23:07:09 +0200 Subject: [PATCH 25/40] Modify langs (#1464) --- lemonldap-ng-manager/site/htdocs/static/languages/ar.json | 1 + lemonldap-ng-manager/site/htdocs/static/languages/en.json | 1 + lemonldap-ng-manager/site/htdocs/static/languages/fr.json | 1 + lemonldap-ng-manager/site/htdocs/static/languages/it.json | 1 + lemonldap-ng-manager/site/htdocs/static/languages/vi.json | 1 + 5 files changed, 5 insertions(+) diff --git a/lemonldap-ng-manager/site/htdocs/static/languages/ar.json b/lemonldap-ng-manager/site/htdocs/static/languages/ar.json index fbae7f4cee..5d2eae3912 100644 --- a/lemonldap-ng-manager/site/htdocs/static/languages/ar.json +++ b/lemonldap-ng-manager/site/htdocs/static/languages/ar.json @@ -455,6 +455,7 @@ "oldValue":"قيمة قديمة", "on":"تنشيط", "oidcAuthnLevel":"مستوى إثبات الهوية", +"oidcConsents":"OpenID Connect Consents", "oidcOP":" أوبين أيدي كونيكت بروفيدر", "oidcOPMetaDataExportedVars":"السمات المصدرة", "oidcOPMetaDataJSON":"البيانات الوصفية", diff --git a/lemonldap-ng-manager/site/htdocs/static/languages/en.json b/lemonldap-ng-manager/site/htdocs/static/languages/en.json index d0ab5b4a56..6f1080a9f9 100644 --- a/lemonldap-ng-manager/site/htdocs/static/languages/en.json +++ b/lemonldap-ng-manager/site/htdocs/static/languages/en.json @@ -455,6 +455,7 @@ "oldValue":"Old value", "on":"On", "oidcAuthnLevel":"Authentication level", +"oidcConsents":"OpenID Connect Consents", "oidcOP":"OpenID Connect Provider", "oidcOPMetaDataExportedVars":"Exported attributes", "oidcOPMetaDataJSON":"Metadata", diff --git a/lemonldap-ng-manager/site/htdocs/static/languages/fr.json b/lemonldap-ng-manager/site/htdocs/static/languages/fr.json index e766ae4079..d1b341b57b 100644 --- a/lemonldap-ng-manager/site/htdocs/static/languages/fr.json +++ b/lemonldap-ng-manager/site/htdocs/static/languages/fr.json @@ -455,6 +455,7 @@ "oldValue":"Ancienne valeur", "on":"Activé", "oidcAuthnLevel":"Niveau d'authentification", +"oidcConsents":"Consentements OpenID Connect", "oidcOP":"Fournisseur OpenID Connect", "oidcOPMetaDataExportedVars":"Attributs exportés", "oidcOPMetaDataJSON":"Metadonnées", diff --git a/lemonldap-ng-manager/site/htdocs/static/languages/it.json b/lemonldap-ng-manager/site/htdocs/static/languages/it.json index df360ff715..505787c516 100644 --- a/lemonldap-ng-manager/site/htdocs/static/languages/it.json +++ b/lemonldap-ng-manager/site/htdocs/static/languages/it.json @@ -455,6 +455,7 @@ "oldValue":"Vecchio valore", "on":"On", "oidcAuthnLevel":"Livello di autenticazione", +"oidcConsents":"OpenID Connect Consents", "oidcOP":"Provider di OpenID Connect", "oidcOPMetaDataExportedVars":"Attributi esportati", "oidcOPMetaDataJSON":"Metadata", diff --git a/lemonldap-ng-manager/site/htdocs/static/languages/vi.json b/lemonldap-ng-manager/site/htdocs/static/languages/vi.json index 069f98a3c5..3b3fba8552 100644 --- a/lemonldap-ng-manager/site/htdocs/static/languages/vi.json +++ b/lemonldap-ng-manager/site/htdocs/static/languages/vi.json @@ -455,6 +455,7 @@ "oldValue":"Giá trị cũ", "on":"Vào", "oidcAuthnLevel":"Mức xác thực", +"oidcConsents":"OpenID Connect Consents", "oidcOP":"Bộ cung cấp Kết nối OpenID", "oidcOPMetaDataExportedVars":"Biến đã được xuất", "oidcOPMetaDataJSON":"Mô-tả dữ liệu", -- GitLab From ee05b4db3dbb0f4590f2218d3f97d289403b0cdd Mon Sep 17 00:00:00 2001 From: Christophe Maudoux Date: Tue, 17 Jul 2018 23:08:01 +0200 Subject: [PATCH 26/40] Modify _oidcConsents key display (#1464) --- .../site/coffee/sessions.coffee | 35 ++++++++++++++++ .../site/htdocs/static/js/sessions.js | 41 ++++++++++++++++--- .../site/htdocs/static/js/sessions.min.js | 2 +- 3 files changed, 71 insertions(+), 7 deletions(-) diff --git a/lemonldap-ng-manager/site/coffee/sessions.coffee b/lemonldap-ng-manager/site/coffee/sessions.coffee index 3acae3f17e..cd22f9fea9 100644 --- a/lemonldap-ng-manager/site/coffee/sessions.coffee +++ b/lemonldap-ng-manager/site/coffee/sessions.coffee @@ -85,6 +85,7 @@ categories = BrowserID: ['_browserIdAnswer', '_browserIdAnswerRaw'] OpenIDConnect: ['_oidc_id_token', '_oidc_OP', '_oidc_access_token'] sfaTitle: ['_2fDevices'] + oidcConsents: ['_oidcConsents'] # Menu entries menu = @@ -227,6 +228,40 @@ llapp.controller 'SessionsExplorerCtrl', ['$scope', '$translator', '$location', value: name epoch: epoch delete session[attr] + else if session[attr].toString().match(/"rp":\s*"\w+"/) + subres.push + title: "rp" + value: "scope" + epoch: "date" + array = JSON.parse(session[attr]) + for oidcConsent in array + for key, value of oidcConsent + if key == 'rp' + title = value + if key == 'scope' + name = value + if key == 'epoch' + epoch = value + subres.push + title: title + value: name + epoch: epoch + delete session[attr] + + + + + + + + + + + + + + + else if session[attr].toString().match(/\w+/) subres.push title: attr diff --git a/lemonldap-ng-manager/site/htdocs/static/js/sessions.js b/lemonldap-ng-manager/site/htdocs/static/js/sessions.js index 4aa600b9ef..53536661d1 100644 --- a/lemonldap-ng-manager/site/htdocs/static/js/sessions.js +++ b/lemonldap-ng-manager/site/htdocs/static/js/sessions.js @@ -101,7 +101,8 @@ ldap: ['dn'], BrowserID: ['_browserIdAnswer', '_browserIdAnswerRaw'], OpenIDConnect: ['_oidc_id_token', '_oidc_OP', '_oidc_access_token'], - sfaTitle: ['_2fDevices'] + sfaTitle: ['_2fDevices'], + oidcConsents: ['_oidcConsents'] }; menu = { @@ -186,7 +187,7 @@ $scope.displaySession = function(scope) { var sessionId, transformSession; transformSession = function(session) { - var _insert, _stToStr, array, arrayDate, attr, attrs, category, epoch, i, id, j, k, key, l, len, len1, len2, len3, m, name, pattern, ref, ref1, res, sfDevice, subres, time, title, tmp, value; + var _insert, _stToStr, array, arrayDate, attr, attrs, category, epoch, i, id, j, k, key, l, len, len1, len2, len3, len4, m, name, o, oidcConsent, pattern, ref, ref1, res, sfDevice, subres, time, title, tmp, value; _stToStr = function(s) { return s; }; @@ -270,6 +271,34 @@ }); } delete session[attr]; + } else if (session[attr].toString().match(/"rp":\s*"\w+"/)) { + subres.push({ + title: "rp", + value: "scope", + epoch: "date" + }); + array = JSON.parse(session[attr]); + for (k = 0, len2 = array.length; k < len2; k++) { + oidcConsent = array[k]; + for (key in oidcConsent) { + value = oidcConsent[key]; + if (key === 'rp') { + title = value; + } + if (key === 'scope') { + name = value; + } + if (key === 'epoch') { + epoch = value; + } + } + subres.push({ + title: title, + value: name, + epoch: epoch + }); + } + delete session[attr]; } else if (session[attr].toString().match(/\w+/)) { subres.push({ title: attr, @@ -297,8 +326,8 @@ tmp = []; if (session._loginHistory.successLogin) { ref = session._loginHistory.successLogin; - for (k = 0, len2 = ref.length; k < len2; k++) { - l = ref[k]; + for (m = 0, len3 = ref.length; m < len3; m++) { + l = ref[m]; tmp.push({ t: l._utime, title: $scope.localeDate(l._utime), @@ -308,8 +337,8 @@ } if (session._loginHistory.failedLogin) { ref1 = session._loginHistory.failedLogin; - for (m = 0, len3 = ref1.length; m < len3; m++) { - l = ref1[m]; + for (o = 0, len4 = ref1.length; o < len4; o++) { + l = ref1[o]; tmp.push({ t: l._utime, title: $scope.localeDate(l._utime), diff --git a/lemonldap-ng-manager/site/htdocs/static/js/sessions.min.js b/lemonldap-ng-manager/site/htdocs/static/js/sessions.min.js index a645a21203..8720fef07f 100644 --- a/lemonldap-ng-manager/site/htdocs/static/js/sessions.min.js +++ b/lemonldap-ng-manager/site/htdocs/static/js/sessions.min.js @@ -1 +1 @@ -(function(){var categories,hiddenAttributes,llapp,max,menu,overScheme,schemes;max=25;schemes={_whatToTrace:[function(t,v){return"groupBy=substr("+t+",1)"},function(t,v){return t+"="+v+"*&groupBy="+t},function(t,v){return t+"="+v}],ipAddr:[function(t,v){return"groupBy=net("+t+",16,1)"},function(t,v){if(!v.match(/:/)){v=v+"."}return t+"="+v+"*&groupBy=net("+t+",32,2)"},function(t,v){if(!v.match(/:/)){v=v+"."}return t+"="+v+"*&groupBy=net("+t+",48,3)"},function(t,v){if(!v.match(/:/)){v=v+"."}return t+"="+v+"*&groupBy=net("+t+",128,4)"},function(t,v){return t+"="+v+"&groupBy=_whatToTrace"},function(t,v,q){return q.replace(/\&groupBy.*$/,"")+("&_whatToTrace="+v)}],_startTime:[function(t,v){return"groupBy=substr("+t+",8)"},function(t,v){return t+"="+v+"*&groupBy=substr("+t+",10)"},function(t,v){return t+"="+v+"*&groupBy=substr("+t+",11)"},function(t,v){return t+"="+v+"*&groupBy=substr("+t+",12)"},function(t,v){return t+"="+v+"*&groupBy=_whatToTrace"},function(t,v,q){console.log(t);console.log(v);console.log(q);return q.replace(/\&groupBy.*$/,"")+("&_whatToTrace="+v)}],doubleIp:[function(t,v){return t},function(t,v){return"_whatToTrace="+v+"&groupBy=ipAddr"},function(t,v,q){return q.replace(/\&groupBy.*$/,"")+("&ipAddr="+v)}]};overScheme={_whatToTrace:function(t,v,level,over){if(level===1){return t+"="+v+"*&groupBy=substr("+t+","+(level+over+1)+")"}else{return null}},ipAddr:function(t,v,level,over){if(level>0&&level<4){return t+"="+v+"*&groupBy=net("+t+","+(16*level+4*(over+1))+",2)"}else{return null}}};hiddenAttributes="_password";categories={dateTitle:["_utime","_startTime","_updateTime","_lastAuthnUTime","_lastSeen"],connectionTitle:["ipAddr","_timezone","_url"],authenticationTitle:["_session_id","_user","_password","authenticationLevel"],modulesTitle:["_auth","_userDB","_passwordDB","_issuerDB","_authChoice","_authMulti","_userDBMulti"],saml:["_idp","_idpConfKey","_samlToken","_lassoSessionDump","_lassoIdentityDump"],groups:["groups","hGroups"],ldap:["dn"],BrowserID:["_browserIdAnswer","_browserIdAnswerRaw"],OpenIDConnect:["_oidc_id_token","_oidc_OP","_oidc_access_token"],sfaTitle:["_2fDevices"]};menu={session:[{title:"deleteSession",icon:"trash"}],home:[]};llapp=angular.module("llngSessionsExplorer",["ui.tree","ui.bootstrap","llApp"]);llapp.controller("SessionsExplorerCtrl",["$scope","$translator","$location","$q","$http",function($scope,$translator,$location,$q,$http){var autoId,c,pathEvent,sessionType;$scope.links=links;$scope.menulinks=menulinks;$scope.staticPrefix=staticPrefix;$scope.scriptname=scriptname;$scope.formPrefix=formPrefix;$scope.availableLanguages=availableLanguages;$scope.waiting=true;$scope.showM=false;$scope.showT=true;$scope.data=[];$scope.currentScope=null;$scope.currentSession=null;$scope.menu=menu;$scope.translateP=$translator.translateP;$scope.translate=$translator.translate;$scope.translateTitle=function(node){return $translator.translateField(node,"title")};sessionType="global";$scope.menuClick=function(button){if(button.popup){window.open(button.popup)}else{if(!button.action){button.action=button.title}switch(typeof button.action){case"function":button.action($scope.currentNode,$scope);break;case"string":$scope[button.action]();break;default:console.log(typeof button.action)}}return $scope.showM=false};$scope.deleteSession=function(){$scope.waiting=true;return $http["delete"](scriptname+"sessions/"+sessionType+"/"+$scope.currentSession.id).then(function(response){$scope.currentSession=null;$scope.currentScope.remove();return $scope.waiting=false},function(resp){$scope.currentSession=null;$scope.currentScope.remove();return $scope.waiting=false})};$scope.stoggle=function(scope){var node;node=scope.$modelValue;if(node.nodes.length===0){$scope.updateTree(node.value,node.nodes,node.level,node.over,node.query,node.count)}return scope.toggle()};$scope.displaySession=function(scope){var sessionId,transformSession;transformSession=function(session){var _insert,_stToStr,array,arrayDate,attr,attrs,category,epoch,i,id,j,k,key,l,len,len1,len2,len3,m,name,pattern,ref,ref1,res,sfDevice,subres,time,title,tmp,value;_stToStr=function(s){return s};_insert=function(re,title){var key,reg,tmp,value;tmp=[];reg=new RegExp(re);for(key in session){value=session[key];if(key.match(reg)&&value){tmp.push({title:key,value:value});delete session[key]}}if(tmp.length>0){return res.push({title:title,nodes:tmp})}};time=session._utime;id=session._session_id;for(key in session){value=session[key];if(!value){delete session[key]}else{if(typeof session==="string"&&value.match(/; /)){session[key]=value.split("; ")}if(typeof session[key]!=="object"){if(hiddenAttributes.match(new RegExp("\b"+key+"\b"))){session[key]="********"}else if(key.match(/^(_utime|_lastAuthnUTime|_lastSeen|notification)$/)){session[key]=$scope.localeDate(value)}else if(key.match(/^(_startTime|_updateTime)$/)){value=_stToStr(value);pattern=/^(\d{4})(\d{2})(\d{2})(\d{2})(\d{2})(\d{2})$/;arrayDate=value.match(pattern);session[key]=arrayDate[3]+"/"+arrayDate[2]+"/"+arrayDate[1]+" à "+arrayDate[4]+":"+arrayDate[5]+":"+arrayDate[6]}}}}res=[];for(category in categories){attrs=categories[category];subres=[];for(i=0,len=attrs.length;i0){res.push({title:"__"+category+"__",nodes:subres})}}_insert("^openid","OpenID");_insert("^notification_(.+)","__notificationsDone__");if(session._loginHistory){tmp=[];if(session._loginHistory.successLogin){ref=session._loginHistory.successLogin;for(k=0,len2=ref.length;kb.title){return 1}else if(a.titlemax&&overScheme[$scope.type]){if(tmp=overScheme[$scope.type]($scope.type,value,level,over,currentQuery)){over++;query=tmp;level=level-1}else{over=0}}else{over=0}return $http.get(scriptname+"sessions/"+sessionType+"?"+query).then(function(response){var data,i,len,n,ref;data=response.data;if(data.result){ref=data.values;for(i=0,len=ref.length;i0&&level<4){return t+"="+v+"*&groupBy=net("+t+","+(16*level+4*(over+1))+",2)"}else{return null}}};hiddenAttributes="_password";categories={dateTitle:["_utime","_startTime","_updateTime","_lastAuthnUTime","_lastSeen"],connectionTitle:["ipAddr","_timezone","_url"],authenticationTitle:["_session_id","_user","_password","authenticationLevel"],modulesTitle:["_auth","_userDB","_passwordDB","_issuerDB","_authChoice","_authMulti","_userDBMulti"],saml:["_idp","_idpConfKey","_samlToken","_lassoSessionDump","_lassoIdentityDump"],groups:["groups","hGroups"],ldap:["dn"],BrowserID:["_browserIdAnswer","_browserIdAnswerRaw"],OpenIDConnect:["_oidc_id_token","_oidc_OP","_oidc_access_token"],sfaTitle:["_2fDevices"],oidcConsents:["_oidcConsents"]};menu={session:[{title:"deleteSession",icon:"trash"}],home:[]};llapp=angular.module("llngSessionsExplorer",["ui.tree","ui.bootstrap","llApp"]);llapp.controller("SessionsExplorerCtrl",["$scope","$translator","$location","$q","$http",function($scope,$translator,$location,$q,$http){var autoId,c,pathEvent,sessionType;$scope.links=links;$scope.menulinks=menulinks;$scope.staticPrefix=staticPrefix;$scope.scriptname=scriptname;$scope.formPrefix=formPrefix;$scope.availableLanguages=availableLanguages;$scope.waiting=true;$scope.showM=false;$scope.showT=true;$scope.data=[];$scope.currentScope=null;$scope.currentSession=null;$scope.menu=menu;$scope.translateP=$translator.translateP;$scope.translate=$translator.translate;$scope.translateTitle=function(node){return $translator.translateField(node,"title")};sessionType="global";$scope.menuClick=function(button){if(button.popup){window.open(button.popup)}else{if(!button.action){button.action=button.title}switch(typeof button.action){case"function":button.action($scope.currentNode,$scope);break;case"string":$scope[button.action]();break;default:console.log(typeof button.action)}}return $scope.showM=false};$scope.deleteSession=function(){$scope.waiting=true;return $http["delete"](scriptname+"sessions/"+sessionType+"/"+$scope.currentSession.id).then(function(response){$scope.currentSession=null;$scope.currentScope.remove();return $scope.waiting=false},function(resp){$scope.currentSession=null;$scope.currentScope.remove();return $scope.waiting=false})};$scope.stoggle=function(scope){var node;node=scope.$modelValue;if(node.nodes.length===0){$scope.updateTree(node.value,node.nodes,node.level,node.over,node.query,node.count)}return scope.toggle()};$scope.displaySession=function(scope){var sessionId,transformSession;transformSession=function(session){var _insert,_stToStr,array,arrayDate,attr,attrs,category,epoch,i,id,j,k,key,l,len,len1,len2,len3,len4,m,name,o,oidcConsent,pattern,ref,ref1,res,sfDevice,subres,time,title,tmp,value;_stToStr=function(s){return s};_insert=function(re,title){var key,reg,tmp,value;tmp=[];reg=new RegExp(re);for(key in session){value=session[key];if(key.match(reg)&&value){tmp.push({title:key,value:value});delete session[key]}}if(tmp.length>0){return res.push({title:title,nodes:tmp})}};time=session._utime;id=session._session_id;for(key in session){value=session[key];if(!value){delete session[key]}else{if(typeof session==="string"&&value.match(/; /)){session[key]=value.split("; ")}if(typeof session[key]!=="object"){if(hiddenAttributes.match(new RegExp("\b"+key+"\b"))){session[key]="********"}else if(key.match(/^(_utime|_lastAuthnUTime|_lastSeen|notification)$/)){session[key]=$scope.localeDate(value)}else if(key.match(/^(_startTime|_updateTime)$/)){value=_stToStr(value);pattern=/^(\d{4})(\d{2})(\d{2})(\d{2})(\d{2})(\d{2})$/;arrayDate=value.match(pattern);session[key]=arrayDate[3]+"/"+arrayDate[2]+"/"+arrayDate[1]+" à "+arrayDate[4]+":"+arrayDate[5]+":"+arrayDate[6]}}}}res=[];for(category in categories){attrs=categories[category];subres=[];for(i=0,len=attrs.length;i0){res.push({title:"__"+category+"__",nodes:subres})}}_insert("^openid","OpenID");_insert("^notification_(.+)","__notificationsDone__");if(session._loginHistory){tmp=[];if(session._loginHistory.successLogin){ref=session._loginHistory.successLogin;for(m=0,len3=ref.length;mb.title){return 1}else if(a.titlemax&&overScheme[$scope.type]){if(tmp=overScheme[$scope.type]($scope.type,value,level,over,currentQuery)){over++;query=tmp;level=level-1}else{over=0}}else{over=0}return $http.get(scriptname+"sessions/"+sessionType+"?"+query).then(function(response){var data,i,len,n,ref;data=response.data;if(data.result){ref=data.values;for(i=0,len=ref.length;i Date: Tue, 17 Jul 2018 23:24:41 +0200 Subject: [PATCH 27/40] WIP - Modify _oidcConsents key display (#1464) --- .../site/coffee/sessions.coffee | 2 +- .../site/htdocs/static/js/sessions.js | 2 +- .../site/htdocs/static/js/sessions.min.js | 2 +- .../site/templates/sessions.tpl | 18 ++++++++++++++---- 4 files changed, 17 insertions(+), 7 deletions(-) diff --git a/lemonldap-ng-manager/site/coffee/sessions.coffee b/lemonldap-ng-manager/site/coffee/sessions.coffee index cd22f9fea9..7ad9223251 100644 --- a/lemonldap-ng-manager/site/coffee/sessions.coffee +++ b/lemonldap-ng-manager/site/coffee/sessions.coffee @@ -228,7 +228,7 @@ llapp.controller 'SessionsExplorerCtrl', ['$scope', '$translator', '$location', value: name epoch: epoch delete session[attr] - else if session[attr].toString().match(/"rp":\s*"\w+"/) + else if session[attr].toString().match(/"rp":\s*"[\w-]+"/) subres.push title: "rp" value: "scope" diff --git a/lemonldap-ng-manager/site/htdocs/static/js/sessions.js b/lemonldap-ng-manager/site/htdocs/static/js/sessions.js index 53536661d1..e4072536fb 100644 --- a/lemonldap-ng-manager/site/htdocs/static/js/sessions.js +++ b/lemonldap-ng-manager/site/htdocs/static/js/sessions.js @@ -271,7 +271,7 @@ }); } delete session[attr]; - } else if (session[attr].toString().match(/"rp":\s*"\w+"/)) { + } else if (session[attr].toString().match(/"rp":\s*"[\w-]+"/)) { subres.push({ title: "rp", value: "scope", diff --git a/lemonldap-ng-manager/site/htdocs/static/js/sessions.min.js b/lemonldap-ng-manager/site/htdocs/static/js/sessions.min.js index 8720fef07f..39fa45b718 100644 --- a/lemonldap-ng-manager/site/htdocs/static/js/sessions.min.js +++ b/lemonldap-ng-manager/site/htdocs/static/js/sessions.min.js @@ -1 +1 @@ -(function(){var categories,hiddenAttributes,llapp,max,menu,overScheme,schemes;max=25;schemes={_whatToTrace:[function(t,v){return"groupBy=substr("+t+",1)"},function(t,v){return t+"="+v+"*&groupBy="+t},function(t,v){return t+"="+v}],ipAddr:[function(t,v){return"groupBy=net("+t+",16,1)"},function(t,v){if(!v.match(/:/)){v=v+"."}return t+"="+v+"*&groupBy=net("+t+",32,2)"},function(t,v){if(!v.match(/:/)){v=v+"."}return t+"="+v+"*&groupBy=net("+t+",48,3)"},function(t,v){if(!v.match(/:/)){v=v+"."}return t+"="+v+"*&groupBy=net("+t+",128,4)"},function(t,v){return t+"="+v+"&groupBy=_whatToTrace"},function(t,v,q){return q.replace(/\&groupBy.*$/,"")+("&_whatToTrace="+v)}],_startTime:[function(t,v){return"groupBy=substr("+t+",8)"},function(t,v){return t+"="+v+"*&groupBy=substr("+t+",10)"},function(t,v){return t+"="+v+"*&groupBy=substr("+t+",11)"},function(t,v){return t+"="+v+"*&groupBy=substr("+t+",12)"},function(t,v){return t+"="+v+"*&groupBy=_whatToTrace"},function(t,v,q){console.log(t);console.log(v);console.log(q);return q.replace(/\&groupBy.*$/,"")+("&_whatToTrace="+v)}],doubleIp:[function(t,v){return t},function(t,v){return"_whatToTrace="+v+"&groupBy=ipAddr"},function(t,v,q){return q.replace(/\&groupBy.*$/,"")+("&ipAddr="+v)}]};overScheme={_whatToTrace:function(t,v,level,over){if(level===1){return t+"="+v+"*&groupBy=substr("+t+","+(level+over+1)+")"}else{return null}},ipAddr:function(t,v,level,over){if(level>0&&level<4){return t+"="+v+"*&groupBy=net("+t+","+(16*level+4*(over+1))+",2)"}else{return null}}};hiddenAttributes="_password";categories={dateTitle:["_utime","_startTime","_updateTime","_lastAuthnUTime","_lastSeen"],connectionTitle:["ipAddr","_timezone","_url"],authenticationTitle:["_session_id","_user","_password","authenticationLevel"],modulesTitle:["_auth","_userDB","_passwordDB","_issuerDB","_authChoice","_authMulti","_userDBMulti"],saml:["_idp","_idpConfKey","_samlToken","_lassoSessionDump","_lassoIdentityDump"],groups:["groups","hGroups"],ldap:["dn"],BrowserID:["_browserIdAnswer","_browserIdAnswerRaw"],OpenIDConnect:["_oidc_id_token","_oidc_OP","_oidc_access_token"],sfaTitle:["_2fDevices"],oidcConsents:["_oidcConsents"]};menu={session:[{title:"deleteSession",icon:"trash"}],home:[]};llapp=angular.module("llngSessionsExplorer",["ui.tree","ui.bootstrap","llApp"]);llapp.controller("SessionsExplorerCtrl",["$scope","$translator","$location","$q","$http",function($scope,$translator,$location,$q,$http){var autoId,c,pathEvent,sessionType;$scope.links=links;$scope.menulinks=menulinks;$scope.staticPrefix=staticPrefix;$scope.scriptname=scriptname;$scope.formPrefix=formPrefix;$scope.availableLanguages=availableLanguages;$scope.waiting=true;$scope.showM=false;$scope.showT=true;$scope.data=[];$scope.currentScope=null;$scope.currentSession=null;$scope.menu=menu;$scope.translateP=$translator.translateP;$scope.translate=$translator.translate;$scope.translateTitle=function(node){return $translator.translateField(node,"title")};sessionType="global";$scope.menuClick=function(button){if(button.popup){window.open(button.popup)}else{if(!button.action){button.action=button.title}switch(typeof button.action){case"function":button.action($scope.currentNode,$scope);break;case"string":$scope[button.action]();break;default:console.log(typeof button.action)}}return $scope.showM=false};$scope.deleteSession=function(){$scope.waiting=true;return $http["delete"](scriptname+"sessions/"+sessionType+"/"+$scope.currentSession.id).then(function(response){$scope.currentSession=null;$scope.currentScope.remove();return $scope.waiting=false},function(resp){$scope.currentSession=null;$scope.currentScope.remove();return $scope.waiting=false})};$scope.stoggle=function(scope){var node;node=scope.$modelValue;if(node.nodes.length===0){$scope.updateTree(node.value,node.nodes,node.level,node.over,node.query,node.count)}return scope.toggle()};$scope.displaySession=function(scope){var sessionId,transformSession;transformSession=function(session){var _insert,_stToStr,array,arrayDate,attr,attrs,category,epoch,i,id,j,k,key,l,len,len1,len2,len3,len4,m,name,o,oidcConsent,pattern,ref,ref1,res,sfDevice,subres,time,title,tmp,value;_stToStr=function(s){return s};_insert=function(re,title){var key,reg,tmp,value;tmp=[];reg=new RegExp(re);for(key in session){value=session[key];if(key.match(reg)&&value){tmp.push({title:key,value:value});delete session[key]}}if(tmp.length>0){return res.push({title:title,nodes:tmp})}};time=session._utime;id=session._session_id;for(key in session){value=session[key];if(!value){delete session[key]}else{if(typeof session==="string"&&value.match(/; /)){session[key]=value.split("; ")}if(typeof session[key]!=="object"){if(hiddenAttributes.match(new RegExp("\b"+key+"\b"))){session[key]="********"}else if(key.match(/^(_utime|_lastAuthnUTime|_lastSeen|notification)$/)){session[key]=$scope.localeDate(value)}else if(key.match(/^(_startTime|_updateTime)$/)){value=_stToStr(value);pattern=/^(\d{4})(\d{2})(\d{2})(\d{2})(\d{2})(\d{2})$/;arrayDate=value.match(pattern);session[key]=arrayDate[3]+"/"+arrayDate[2]+"/"+arrayDate[1]+" à "+arrayDate[4]+":"+arrayDate[5]+":"+arrayDate[6]}}}}res=[];for(category in categories){attrs=categories[category];subres=[];for(i=0,len=attrs.length;i0){res.push({title:"__"+category+"__",nodes:subres})}}_insert("^openid","OpenID");_insert("^notification_(.+)","__notificationsDone__");if(session._loginHistory){tmp=[];if(session._loginHistory.successLogin){ref=session._loginHistory.successLogin;for(m=0,len3=ref.length;mb.title){return 1}else if(a.titlemax&&overScheme[$scope.type]){if(tmp=overScheme[$scope.type]($scope.type,value,level,over,currentQuery)){over++;query=tmp;level=level-1}else{over=0}}else{over=0}return $http.get(scriptname+"sessions/"+sessionType+"?"+query).then(function(response){var data,i,len,n,ref;data=response.data;if(data.result){ref=data.values;for(i=0,len=ref.length;i0&&level<4){return t+"="+v+"*&groupBy=net("+t+","+(16*level+4*(over+1))+",2)"}else{return null}}};hiddenAttributes="_password";categories={dateTitle:["_utime","_startTime","_updateTime","_lastAuthnUTime","_lastSeen"],connectionTitle:["ipAddr","_timezone","_url"],authenticationTitle:["_session_id","_user","_password","authenticationLevel"],modulesTitle:["_auth","_userDB","_passwordDB","_issuerDB","_authChoice","_authMulti","_userDBMulti"],saml:["_idp","_idpConfKey","_samlToken","_lassoSessionDump","_lassoIdentityDump"],groups:["groups","hGroups"],ldap:["dn"],BrowserID:["_browserIdAnswer","_browserIdAnswerRaw"],OpenIDConnect:["_oidc_id_token","_oidc_OP","_oidc_access_token"],sfaTitle:["_2fDevices"],oidcConsents:["_oidcConsents"]};menu={session:[{title:"deleteSession",icon:"trash"}],home:[]};llapp=angular.module("llngSessionsExplorer",["ui.tree","ui.bootstrap","llApp"]);llapp.controller("SessionsExplorerCtrl",["$scope","$translator","$location","$q","$http",function($scope,$translator,$location,$q,$http){var autoId,c,pathEvent,sessionType;$scope.links=links;$scope.menulinks=menulinks;$scope.staticPrefix=staticPrefix;$scope.scriptname=scriptname;$scope.formPrefix=formPrefix;$scope.availableLanguages=availableLanguages;$scope.waiting=true;$scope.showM=false;$scope.showT=true;$scope.data=[];$scope.currentScope=null;$scope.currentSession=null;$scope.menu=menu;$scope.translateP=$translator.translateP;$scope.translate=$translator.translate;$scope.translateTitle=function(node){return $translator.translateField(node,"title")};sessionType="global";$scope.menuClick=function(button){if(button.popup){window.open(button.popup)}else{if(!button.action){button.action=button.title}switch(typeof button.action){case"function":button.action($scope.currentNode,$scope);break;case"string":$scope[button.action]();break;default:console.log(typeof button.action)}}return $scope.showM=false};$scope.deleteSession=function(){$scope.waiting=true;return $http["delete"](scriptname+"sessions/"+sessionType+"/"+$scope.currentSession.id).then(function(response){$scope.currentSession=null;$scope.currentScope.remove();return $scope.waiting=false},function(resp){$scope.currentSession=null;$scope.currentScope.remove();return $scope.waiting=false})};$scope.stoggle=function(scope){var node;node=scope.$modelValue;if(node.nodes.length===0){$scope.updateTree(node.value,node.nodes,node.level,node.over,node.query,node.count)}return scope.toggle()};$scope.displaySession=function(scope){var sessionId,transformSession;transformSession=function(session){var _insert,_stToStr,array,arrayDate,attr,attrs,category,epoch,i,id,j,k,key,l,len,len1,len2,len3,len4,m,name,o,oidcConsent,pattern,ref,ref1,res,sfDevice,subres,time,title,tmp,value;_stToStr=function(s){return s};_insert=function(re,title){var key,reg,tmp,value;tmp=[];reg=new RegExp(re);for(key in session){value=session[key];if(key.match(reg)&&value){tmp.push({title:key,value:value});delete session[key]}}if(tmp.length>0){return res.push({title:title,nodes:tmp})}};time=session._utime;id=session._session_id;for(key in session){value=session[key];if(!value){delete session[key]}else{if(typeof session==="string"&&value.match(/; /)){session[key]=value.split("; ")}if(typeof session[key]!=="object"){if(hiddenAttributes.match(new RegExp("\b"+key+"\b"))){session[key]="********"}else if(key.match(/^(_utime|_lastAuthnUTime|_lastSeen|notification)$/)){session[key]=$scope.localeDate(value)}else if(key.match(/^(_startTime|_updateTime)$/)){value=_stToStr(value);pattern=/^(\d{4})(\d{2})(\d{2})(\d{2})(\d{2})(\d{2})$/;arrayDate=value.match(pattern);session[key]=arrayDate[3]+"/"+arrayDate[2]+"/"+arrayDate[1]+" à "+arrayDate[4]+":"+arrayDate[5]+":"+arrayDate[6]}}}}res=[];for(category in categories){attrs=categories[category];subres=[];for(i=0,len=attrs.length;i0){res.push({title:"__"+category+"__",nodes:subres})}}_insert("^openid","OpenID");_insert("^notification_(.+)","__notificationsDone__");if(session._loginHistory){tmp=[];if(session._loginHistory.successLogin){ref=session._loginHistory.successLogin;for(m=0,len3=ref.length;mb.title){return 1}else if(a.titlemax&&overScheme[$scope.type]){if(tmp=overScheme[$scope.type]($scope.type,value,level,over,currentQuery)){over++;query=tmp;level=level-1}else{over=0}}else{over=0}return $http.get(scriptname+"sessions/"+sessionType+"?"+query).then(function(response){var data,i,len,n,ref;data=response.data;if(data.result){ref=data.values;for(i=0,len=ref.length;i
- + - + - - + + + + + + + + + + + +
">"> " title="delete" class="oidcConsent link nodecor text-danger glyphicon glyphicon-minus-sign"> {{translate(node.title)}}${{node.title}}${{node.title}} {{node.title}}{{translate(node.value)}}{{translate(node.value)}} {{node.value}}{{translate(node.epoch)}}{{localeDate(node.epoch)}}{{translate(node.epoch)}}{{localeDate(node.epoch)}}