Commit d881605f authored by Xavier Guimard's avatar Xavier Guimard

Merge branch 'v2.0'

parents 374cac78 0b69baa5
...@@ -133,6 +133,10 @@ License: CC-3 ...@@ -133,6 +133,10 @@ License: CC-3
Comment: This work, "CustomAuth.png", is a derivative of Comment: This work, "CustomAuth.png", is a derivative of
"Noun project 1162.svg" by Christopher T. Howlett, under CC-BY-3.0. "Noun project 1162.svg" by Christopher T. Howlett, under CC-BY-3.0.
Files: lemonldap-ng-portal/site/htdocs/static/common/fonts/password.ttf
Copyright: 2007, the Tap2Play Team, https://git.tap2play.org.au/tap2play/web/tree/dev/fonts
License: Expat
Files: lemonldap-ng-portal/site/htdocs/static/common/backgrounds/* Files: lemonldap-ng-portal/site/htdocs/static/common/backgrounds/*
Copyright: Various artists Copyright: Various artists
License: CC-BY-NC-ND-3.0 or GFDL-1.3 License: CC-BY-NC-ND-3.0 or GFDL-1.3
......
...@@ -3,4 +3,4 @@ log_format lm_combined '$remote_addr - $lmremote_user [$time_local] ' ...@@ -3,4 +3,4 @@ log_format lm_combined '$remote_addr - $lmremote_user [$time_local] '
'"$http_referer" "$http_user_agent" $lmremote_custom'; '"$http_referer" "$http_user_agent" $lmremote_custom';
log_format lm_app '$remote_addr - $upstream_http_lm_remote_user [$time_local] ' log_format lm_app '$remote_addr - $upstream_http_lm_remote_user [$time_local] '
'"$request" $status $body_bytes_sent ' '"$request" $status $body_bytes_sent '
'"$http_referer" "$http_user_agent" $lmremote_custom'; '"$http_referer" "$http_user_agent" $upstream_http_lm_remote_custom';
...@@ -116,7 +116,7 @@ ...@@ -116,7 +116,7 @@
</IfVersion> </IfVersion>
</Location> </Location>
# Enabe compression # Enable compression
<Location /> <Location />
<IfModule mod_deflate.c> <IfModule mod_deflate.c>
AddOutputFilterByType DEFLATE text/html text/plain text/xml text/javascript text/css AddOutputFilterByType DEFLATE text/html text/plain text/xml text/javascript text/css
......
...@@ -87,7 +87,7 @@ ...@@ -87,7 +87,7 @@
Deny from all Deny from all
</Location> </Location>
# Enabe compression # Enable compression
<Location /> <Location />
<IfModule mod_deflate.c> <IfModule mod_deflate.c>
AddOutputFilterByType DEFLATE text/html text/plain text/xml text/javascript text/css AddOutputFilterByType DEFLATE text/html text/plain text/xml text/javascript text/css
......
--- ---
generation: 2 generation: 3
last_run_time: 1567071551.30841 last_run_time: 1568228253.60673
tests: tests:
t/01-Common-Conf.t: t/01-Common-Conf.t:
elapsed: 0.472490072250366 elapsed: 0.0860559940338135
gen: 2 gen: 3
last_pass_time: 1567071550.71014 last_pass_time: 1568228253.51096
last_result: 0 last_result: 0
last_run_time: 1567071550.71014 last_run_time: 1568228253.51096
last_todo: 0 last_todo: 0
seq: 5 mtime: 1566161618
total_passes: 1 seq: 14
total_passes: 2
t/02-Common-Conf-File.t: t/02-Common-Conf-File.t:
elapsed: 0.0793302059173584 elapsed: 0.0139250755310059
gen: 2 gen: 3
last_pass_time: 1567071550.68052 last_pass_time: 1568228253.60618
last_result: 0 last_result: 0
last_run_time: 1567071550.68052 last_run_time: 1568228253.60618
last_todo: 0 last_todo: 0
seq: 4 mtime: 1566161618
total_passes: 1 seq: 22
total_passes: 2
t/03-Common-Conf-CDBI.t: t/03-Common-Conf-CDBI.t:
elapsed: 0.61043119430542 elapsed: 0.166121959686279
gen: 2 gen: 3
last_pass_time: 1567071550.95767 last_pass_time: 1568228253.58678
last_result: 0 last_result: 0
last_run_time: 1567071550.95767 last_run_time: 1568228253.58678
last_todo: 0 last_todo: 0
seq: 6 mtime: 1567458069
total_passes: 1 seq: 19
total_passes: 2
t/03-Common-Conf-RDBI.t: t/03-Common-Conf-RDBI.t:
elapsed: 0.66497802734375 elapsed: 0.187541961669922
gen: 2 gen: 3
last_pass_time: 1567071551.00435 last_pass_time: 1568228253.60138
last_result: 0 last_result: 0
last_run_time: 1567071551.00435 last_run_time: 1568228253.60138
last_todo: 0 last_todo: 0
seq: 7 mtime: 1567458069
total_passes: 1 seq: 21
total_passes: 2
t/05-Common-Conf-LDAP.t: t/05-Common-Conf-LDAP.t:
elapsed: 0.64878511428833 elapsed: 0.157251119613647
gen: 2 gen: 3
last_pass_time: 1567071551.07637 last_pass_time: 1568228253.57577
last_result: 0 last_result: 0
last_run_time: 1567071551.07637 last_run_time: 1568228253.57577
last_todo: 0 last_todo: 0
seq: 8 mtime: 1566161616
total_passes: 1 seq: 16
total_passes: 2
t/30-Common-Safelib.t: t/30-Common-Safelib.t:
elapsed: 0.0283739566802979 elapsed: 0.0150928497314453
gen: 2 gen: 3
last_pass_time: 1567071550.40529 last_pass_time: 1568228253.58625
last_result: 0 last_result: 0
last_run_time: 1567071550.40529 last_run_time: 1568228253.58625
last_todo: 0 last_todo: 0
seq: 1 mtime: 1566161617
total_passes: 1 seq: 18
total_passes: 2
t/35-Common-Crypto.t: t/35-Common-Crypto.t:
elapsed: 0.190783977508545 elapsed: 0.0329771041870117
gen: 2 gen: 3
last_pass_time: 1567071550.63236 last_pass_time: 1568228253.46102
last_result: 0 last_result: 0
last_run_time: 1567071550.63236 last_run_time: 1568228253.46102
last_todo: 0 last_todo: 0
seq: 3 mtime: 1567541253
total_passes: 1 seq: 12
total_passes: 2
t/36-Common-Regexp.t: t/36-Common-Regexp.t:
elapsed: 0.0631709098815918 elapsed: 0.00531005859375
gen: 2 gen: 3
last_pass_time: 1567071550.50944 last_pass_time: 1568228253.59092
last_result: 0 last_result: 0
last_run_time: 1567071550.50944 last_run_time: 1568228253.59092
last_todo: 0 last_todo: 0
seq: 2 mtime: 1566161618
total_passes: 1 seq: 20
total_passes: 2
t/40-Common-Session.t: t/40-Common-Session.t:
elapsed: 0.184284210205078 elapsed: 0.0833292007446289
gen: 2 gen: 3
last_pass_time: 1567071551.11977 last_pass_time: 1568228253.51475
last_result: 0 last_result: 0
last_run_time: 1567071551.11977 last_run_time: 1568228253.51475
last_todo: 0 last_todo: 0
seq: 9 mtime: 1566161618
total_passes: 1 seq: 15
total_passes: 2
t/50-Combination-Parser.t: t/50-Combination-Parser.t:
elapsed: 0.108580827713013 elapsed: 0.0678761005401611
gen: 2 gen: 3
last_pass_time: 1567071551.1593 last_pass_time: 1568228253.50556
last_result: 0 last_result: 0
last_run_time: 1567071551.1593 last_run_time: 1568228253.50556
last_todo: 0 last_todo: 0
seq: 10 mtime: 1566161617
total_passes: 1 seq: 13
total_passes: 2
t/99-pod.t: t/99-pod.t:
elapsed: 0.128799915313721 elapsed: 0.100279092788696
gen: 2 gen: 3
last_pass_time: 1567071551.30716 last_pass_time: 1568228253.57739
last_result: 0 last_result: 0
last_run_time: 1567071551.30716 last_run_time: 1568228253.57739
last_todo: 0 last_todo: 0
seq: 11 mtime: 1566161617
total_passes: 1 seq: 17
total_passes: 2
version: 1 version: 1
... ...
...@@ -24,7 +24,7 @@ use constant MANAGERSECTION => "manager"; ...@@ -24,7 +24,7 @@ use constant MANAGERSECTION => "manager";
use constant SESSIONSEXPLORERSECTION => "sessionsExplorer"; use constant SESSIONSEXPLORERSECTION => "sessionsExplorer";
use constant APPLYSECTION => "apply"; use constant APPLYSECTION => "apply";
our $hashParameters = qr/^(?:(?:l(?:o(?:ca(?:lSessionStorageOption|tionRule)|goutService)|dapExportedVar|wp(?:Ssl)?Opt)|(?:(?:d(?:emo|bi)|facebook|webID)ExportedVa|exported(?:Heade|Va)|issuerDBGetParamete)r|re(?:moteGlobalStorageOption|st2f(?:Verify|Init)Arg|loadUrl)|g(?:r(?:antSessionRule|oup)|lobalStorageOption)|n(?:otificationStorageOption|ginxCustomHandler)|macro)s|o(?:idc(?:RPMetaData(?:(?:Option(?:sExtraClaim)?|ExportedVar)s|Node)|OPMetaData(?:(?:ExportedVar|Option)s|J(?:SON|WKS)|Node)|S(?:erviceMetaDataAuthnContext|torageOptions))|penIdExportedVars)|s(?:aml(?:S(?:PMetaData(?:(?:ExportedAttribute|Option)s|Node|XML)|torageOptions)|IDPMetaData(?:(?:ExportedAttribute|Option)s|Node|XML))|essionDataToRemember|laveExportedVars|fExtra)|c(?:as(?:S(?:rvMetaData(?:(?:ExportedVar|Option)s|Node)|torageOptions)|A(?:ppMetaData(?:(?:ExportedVar|Option)s|Node)|ttributes))|(?:ustomAddParam|ombModule)s)|p(?:ersistentStorageOptions|o(?:rtalSkinRules|st))|a(?:ut(?:hChoiceMod|oSigninR)ules|pplicationList)|v(?:hostOptions|irtualHost)|S(?:MTPTLSOpts|SLVarIf))$/; our $hashParameters = qr/^(?:(?:l(?:o(?:ca(?:lSessionStorageOption|tionRule)|goutService)|dapExportedVar|wp(?:Ssl)?Opt)|(?:(?:d(?:emo|bi)|facebook|webID)ExportedVa|exported(?:Heade|Va)|issuerDBGetParamete)r|re(?:moteGlobalStorageOption|st2f(?:Verify|Init)Arg|loadUrl)|g(?:r(?:antSessionRule|oup)|lobalStorageOption)|n(?:otificationStorageOption|ginxCustomHandler)|macro)s|o(?:idc(?:RPMetaData(?:(?:Option(?:sExtraClaim)?|ExportedVar)s|Node)|OPMetaData(?:(?:ExportedVar|Option)s|J(?:SON|WKS)|Node)|S(?:erviceMetaDataAuthnContext|torageOptions))|penIdExportedVars)|s(?:aml(?:S(?:PMetaData(?:(?:ExportedAttribute|Option)s|Node|XML)|torageOptions)|IDPMetaData(?:(?:ExportedAttribute|Option)s|Node|XML))|essionDataToRemember|laveExportedVars|fExtra)|c(?:as(?:S(?:rvMetaData(?:(?:ExportedVar|Option)s|Node)|torageOptions)|A(?:ppMetaData(?:(?:ExportedVar|Option)s|Node)|ttributes))|(?:ustomAddParam|ombModule)s)|p(?:ersistentStorageOptions|o(?:rtalSkinRules|st))|a(?:ut(?:hChoiceMod|oSigninR)ules|pplicationList)|v(?:hostOptions|irtualHost)|S(?:MTPTLSOpts|SLVarIf))$/;
our $boolKeys = qr/^(?:s(?:aml(?:IDP(?:MetaDataOptions(?:(?:Check(?:S[LS]OMessageSignatur|Audienc|Tim)|IsPassiv)e|A(?:llow(?:LoginFromIDP|ProxiedAuthn)|daptSessionUtime)|Force(?:Authn|UTF8)|StoreSAMLToken|RelayStateURL)|SSODescriptorWantAuthnRequestsSigned)|S(?:P(?:MetaDataOptions(?:(?:CheckS[LS]OMessageSignatur|OneTimeUs)e|EnableIDPInitiatedURL|ForceUTF8)|SSODescriptor(?:WantAssertion|AuthnRequest)sSigned)|erviceUseCertificateInResponse)|DiscoveryProtocol(?:Activation|IsPassive)|CommonDomainCookieActivation|UseQueryStringSpecific|MetadataForceUTF8)|ingle(?:Session(?:UserByIP)?|(?:UserBy)?IP)|oap(?:Session|Config)Server|t(?:ayConnecte|orePasswor)d|kipRenewConfirmation|fRemovedUseNotif|howLanguages|slByAjax)|o(?:idc(?:ServiceAllow(?:(?:AuthorizationCode|Implicit|Hybrid)Flow|DynamicRegistration)|RPMetaDataOptions(?:LogoutSessionRequired|BypassConsent|RequirePKCE|Public)|OPMetaDataOptions(?:(?:CheckJWTSignatur|UseNonc)e|StoreIDToken))|ldNotifFormat)|c(?:a(?:ptcha_(?:register|login|mail)_enabled|sSrvMetaDataOptions(?:Gateway|Renew))|heck(?:User(?:Display(?:PersistentInfo|EmptyValues))?|State|XSS)|o(?:ntextSwitchingStopWithLogout|rsEnabled)|da)|p(?:ortal(?:ErrorOn(?:ExpiredSession|MailNotFound)|DisplayRe(?:setPassword|gister)|(?:CheckLogin|Statu)s|OpenLinkInNewWindow|RequireOldPassword|ForceAuthn|AntiFrame)|roxyUseSoap)|l(?:dap(?:(?:Group(?:DecodeSearchedValu|Recursiv)|UsePasswordResetAttribut)e|(?:AllowResetExpired|Set)Password|ChangePasswordAsUser|PpolicyControl)|oginHistoryEnabled)|i(?:ssuerDB(?:OpenID(?:Connect)?|SAML|CAS|Get)Activation|mpersonationSkipEmptyValues)|no(?:tif(?:ication(?:Server(?:(?:POS|GE)T|DELETE)?)?|y(?:Deleted|Other))|AjaxHook)|to(?:tp2f(?:UserCan(?:Chang|Remov)eKey|DisplayExistingSecret)|kenUseGlobalStorage)|u(?:se(?:RedirectOn(?:Forbidden|Error)|SafeJail)|2fUserCanRemoveKey|pgradeSession)|d(?:isablePersistentStorage|biDynamicHashEnabled|ontCompactConf)|(?:mai(?:lOnPasswordChang|ntenanc)|vhostMaintenanc)e|rest(?:(?:Session|Config)Server|ExportSecretKeys)|h(?:ideOldPassword|ttpOnly)|yubikey2fUserCanRemoveKey|(?:activeTim|wsdlServ)er|krb(?:RemoveDomain|ByJs)|bruteForceProtection)$/; our $boolKeys = qr/^(?:s(?:aml(?:IDP(?:MetaDataOptions(?:(?:Check(?:S[LS]OMessageSignatur|Audienc|Tim)|IsPassiv)e|A(?:llow(?:LoginFromIDP|ProxiedAuthn)|daptSessionUtime)|Force(?:Authn|UTF8)|StoreSAMLToken|RelayStateURL)|SSODescriptorWantAuthnRequestsSigned)|S(?:P(?:MetaDataOptions(?:(?:CheckS[LS]OMessageSignatur|OneTimeUs)e|EnableIDPInitiatedURL|ForceUTF8)|SSODescriptor(?:WantAssertion|AuthnRequest)sSigned)|erviceUseCertificateInResponse)|DiscoveryProtocol(?:Activation|IsPassive)|CommonDomainCookieActivation|UseQueryStringSpecific|MetadataForceUTF8)|ingle(?:Session(?:UserByIP)?|(?:UserBy)?IP)|oap(?:Session|Config)Server|t(?:ayConnecte|orePasswor)d|kipRenewConfirmation|fRemovedUseNotif|howLanguages|slByAjax)|o(?:idc(?:ServiceAllow(?:(?:AuthorizationCode|Implicit|Hybrid)Flow|DynamicRegistration)|RPMetaDataOptions(?:LogoutSessionRequired|BypassConsent|RequirePKCE|Public)|OPMetaDataOptions(?:(?:CheckJWTSignatur|UseNonc)e|StoreIDToken))|ldNotifFormat)|p(?:ortal(?:Display(?:Re(?:setPassword|gister)|PasswordPolicy)|ErrorOn(?:ExpiredSession|MailNotFound)|(?:CheckLogin|Statu)s|OpenLinkInNewWindow|RequireOldPassword|ForceAuthn|AntiFrame)|roxyUseSoap)|c(?:a(?:ptcha_(?:register|login|mail)_enabled|sSrvMetaDataOptions(?:Gateway|Renew))|heck(?:User(?:Display(?:PersistentInfo|EmptyValues))?|State|XSS)|o(?:ntextSwitchingStopWithLogout|rsEnabled)|da)|l(?:dap(?:(?:Group(?:DecodeSearchedValu|Recursiv)|UsePasswordResetAttribut)e|(?:AllowResetExpired|Set)Password|ChangePasswordAsUser|PpolicyControl|ITDS)|oginHistoryEnabled)|i(?:ssuerDB(?:OpenID(?:Connect)?|SAML|CAS|Get)Activation|mpersonationSkipEmptyValues)|no(?:tif(?:ication(?:Server(?:(?:POS|GE)T|DELETE)?)?|y(?:Deleted|Other))|AjaxHook)|to(?:tp2f(?:UserCan(?:Chang|Remov)eKey|DisplayExistingSecret)|kenUseGlobalStorage)|u(?:se(?:RedirectOn(?:Forbidden|Error)|SafeJail)|2fUserCanRemoveKey|pgradeSession)|d(?:isablePersistentStorage|biDynamicHashEnabled|ontCompactConf)|(?:mai(?:lOnPasswordChang|ntenanc)|vhostMaintenanc)e|rest(?:(?:Session|Config)Server|ExportSecretKeys)|br(?:owsersDontStorePassword|uteForceProtection)|h(?:ideOldPassword|ttpOnly)|yubikey2fUserCanRemoveKey|(?:activeTim|wsdlServ)er|krb(?:RemoveDomain|ByJs))$/;
our @sessionTypes = ( 'remoteGlobal', 'global', 'localSession', 'persistent', 'saml', 'oidc', 'cas' ); our @sessionTypes = ( 'remoteGlobal', 'global', 'localSession', 'persistent', 'saml', 'oidc', 'cas' );
......
...@@ -200,6 +200,10 @@ sub defaultValues { ...@@ -200,6 +200,10 @@ sub defaultValues {
'pamAuthnLevel' => 2, 'pamAuthnLevel' => 2,
'pamService' => 'login', 'pamService' => 'login',
'passwordDB' => 'Demo', 'passwordDB' => 'Demo',
'passwordPolicyMinDigit' => 0,
'passwordPolicyMinLower' => 0,
'passwordPolicyMinSize' => 0,
'passwordPolicyMinUpper' => 0,
'passwordResetAllowedRetries' => 3, 'passwordResetAllowedRetries' => 3,
'port' => -1, 'port' => -1,
'portal' => 'http://auth.example.com/', 'portal' => 'http://auth.example.com/',
...@@ -235,9 +239,10 @@ sub defaultValues { ...@@ -235,9 +239,10 @@ sub defaultValues {
'http://auth.example.com/Lemonldap/NG/Common/PSGI/SOAPService', 'http://auth.example.com/Lemonldap/NG/Common/PSGI/SOAPService',
'proxy' => 'http://auth.example.com/sessions' 'proxy' => 'http://auth.example.com/sessions'
}, },
'requireToken' => 1, 'requireToken' => 1,
'rest2fActivation' => 0, 'rest2fActivation' => 0,
'restAuthnLevel' => 2, 'restAuthnLevel' => 2,
'restClockTolerance' => 15,
'samlAttributeAuthorityDescriptorAttributeServiceSOAP' => 'samlAttributeAuthorityDescriptorAttributeServiceSOAP' =>
'urn:oasis:names:tc:SAML:2.0:bindings:SOAP;#PORTAL#/saml/AA/SOAP;', 'urn:oasis:names:tc:SAML:2.0:bindings:SOAP;#PORTAL#/saml/AA/SOAP;',
'samlAuthnContextMapKerberos' => 4, 'samlAuthnContextMapKerberos' => 4,
......
...@@ -36,7 +36,7 @@ our $authParameters = { ...@@ -36,7 +36,7 @@ our $authParameters = {
adParams => [qw(ADPwdMaxAge ADPwdExpireWarning)], adParams => [qw(ADPwdMaxAge ADPwdExpireWarning)],
apacheParams => [qw(apacheAuthnLevel)], apacheParams => [qw(apacheAuthnLevel)],
casParams => [qw(casAuthnLevel)], casParams => [qw(casAuthnLevel)],
choiceParams => [qw(authChoiceParam authChoiceModules)], choiceParams => [qw(authChoiceParam authChoiceModules authChoiceAuthBasic)],
combinationParams => [qw(combination combModules combinationForms)], combinationParams => [qw(combination combModules combinationForms)],
customParams => [qw(customAuth customUserDB customPassword customRegister customAddParams)], customParams => [qw(customAuth customUserDB customPassword customRegister customAddParams)],
dbiParams => [qw(dbiAuthnLevel dbiExportedVars dbiAuthChain dbiAuthUser dbiAuthPassword dbiUserChain dbiUserUser dbiUserPassword dbiAuthTable dbiUserTable dbiAuthLoginCol dbiAuthPasswordCol dbiPasswordMailCol userPivot dbiAuthPasswordHash dbiDynamicHashEnabled dbiDynamicHashValidSchemes dbiDynamicHashValidSaltedSchemes dbiDynamicHashNewPasswordScheme)], dbiParams => [qw(dbiAuthnLevel dbiExportedVars dbiAuthChain dbiAuthUser dbiAuthPassword dbiUserChain dbiUserUser dbiUserPassword dbiAuthTable dbiUserTable dbiAuthLoginCol dbiAuthPasswordCol dbiPasswordMailCol userPivot dbiAuthPasswordHash dbiDynamicHashEnabled dbiDynamicHashValidSchemes dbiDynamicHashValidSaltedSchemes dbiDynamicHashNewPasswordScheme)],
...@@ -44,7 +44,7 @@ our $authParameters = { ...@@ -44,7 +44,7 @@ our $authParameters = {
facebookParams => [qw(facebookAuthnLevel facebookExportedVars facebookAppId facebookAppSecret facebookUserField)], facebookParams => [qw(facebookAuthnLevel facebookExportedVars facebookAppId facebookAppSecret facebookUserField)],
gpgParams => [qw(gpgAuthnLevel gpgDb)], gpgParams => [qw(gpgAuthnLevel gpgDb)],
kerberosParams => [qw(krbAuthnLevel krbKeytab krbByJs krbRemoveDomain)], kerberosParams => [qw(krbAuthnLevel krbKeytab krbByJs krbRemoveDomain)],
ldapParams => [qw(ldapAuthnLevel ldapExportedVars ldapServer ldapPort ldapBase managerDn managerPassword ldapTimeout ldapVersion ldapRaw LDAPFilter AuthLDAPFilter mailLDAPFilter ldapSearchDeref ldapGroupBase ldapGroupObjectClass ldapGroupAttributeName ldapGroupAttributeNameUser ldapGroupAttributeNameSearch ldapGroupDecodeSearchedValue ldapGroupRecursive ldapGroupAttributeNameGroup ldapPpolicyControl ldapSetPassword ldapChangePasswordAsUser ldapPwdEnc ldapUsePasswordResetAttribute ldapPasswordResetAttribute ldapPasswordResetAttributeValue ldapAllowResetExpiredPassword)], ldapParams => [qw(ldapAuthnLevel ldapExportedVars ldapServer ldapPort ldapBase managerDn managerPassword ldapTimeout ldapVersion ldapRaw LDAPFilter AuthLDAPFilter mailLDAPFilter ldapSearchDeref ldapGroupBase ldapGroupObjectClass ldapGroupAttributeName ldapGroupAttributeNameUser ldapGroupAttributeNameSearch ldapGroupDecodeSearchedValue ldapGroupRecursive ldapGroupAttributeNameGroup ldapPpolicyControl ldapSetPassword ldapChangePasswordAsUser ldapPwdEnc ldapUsePasswordResetAttribute ldapPasswordResetAttribute ldapPasswordResetAttributeValue ldapAllowResetExpiredPassword ldapITDS)],
linkedinParams => [qw(linkedInAuthnLevel linkedInClientID linkedInClientSecret linkedInUserField linkedInScope)], linkedinParams => [qw(linkedInAuthnLevel linkedInClientID linkedInClientSecret linkedInUserField linkedInScope)],
nullParams => [qw(nullAuthnLevel)], nullParams => [qw(nullAuthnLevel)],
oidcParams => [qw(oidcAuthnLevel oidcRPCallbackGetParam oidcRPStateTimeout)], oidcParams => [qw(oidcAuthnLevel oidcRPCallbackGetParam oidcRPStateTimeout)],
......
...@@ -2,7 +2,7 @@ package Lemonldap::NG::Handler::Lib::AuthBasic; ...@@ -2,7 +2,7 @@ package Lemonldap::NG::Handler::Lib::AuthBasic;
use strict; use strict;
use Exporter; use Exporter;
use Digest::MD5; use Digest::SHA;
use MIME::Base64; use MIME::Base64;
use HTTP::Headers; use HTTP::Headers;
...@@ -29,7 +29,7 @@ sub fetchId { ...@@ -29,7 +29,7 @@ sub fetchId {
$creds =~ s/^Basic\s+//; $creds =~ s/^Basic\s+//;
my @date = localtime; my @date = localtime;
my $day = $date[5] * 366 + $date[7]; my $day = $date[5] * 366 + $date[7];
return Digest::MD5::md5_hex( $creds . $day ); return Digest::SHA::sha256_hex( $creds . $day );
} }
else { else {
return 0; return 0;
...@@ -94,7 +94,13 @@ sub createSession { ...@@ -94,7 +94,13 @@ sub createSession {
build_urlencoded( build_urlencoded(
user => $user, user => $user,
password => $pwd, password => $pwd,
secret => $class->tsv->{cipher}->encrypt(time) secret => $class->tsv->{cipher}->encrypt(time),
(
$class->tsv->{authChoiceAuthBasic}
? ( $class->tsv->{authChoiceParam} =>
$class->tsv->{authChoiceAuthBasic} )
: ()
)
) )
); );
my $resp = $class->ua->request($get); my $resp = $class->ua->request($get);
...@@ -162,8 +168,8 @@ sub ua { ...@@ -162,8 +168,8 @@ sub ua {
my ($class) = @_; my ($class) = @_;
return $_ua if ($_ua); return $_ua if ($_ua);
$_ua = Lemonldap::NG::Common::UserAgent->new( { $_ua = Lemonldap::NG::Common::UserAgent->new( {
lwpOpts => $class->localConfig->{lwpOpts}, lwpOpts => $class->tsv->{lwpOpts},
lwpSslOpts => $class->localConfig->{lwpSslOpts} lwpSslOpts => $class->tsv->{lwpSslOpts}
} }
); );
......
...@@ -197,7 +197,8 @@ sub defaultValuesInit { ...@@ -197,7 +197,8 @@ sub defaultValuesInit {
securedCookie timeout timeoutActivity securedCookie timeout timeoutActivity
timeoutActivityInterval useRedirectOnError useRedirectOnForbidden timeoutActivityInterval useRedirectOnError useRedirectOnForbidden
useSafeJail whatToTrace handlerInternalCache useSafeJail whatToTrace handlerInternalCache
handlerServiceTokenTTL customToTrace handlerServiceTokenTTL customToTrace lwpOpts lwpSslOpts
authChoiceParam authChoiceAuthBasic
) )
); );
......
...@@ -278,6 +278,9 @@ sub attributes { ...@@ -278,6 +278,9 @@ sub attributes {
'keyTest' => qr/\w/, 'keyTest' => qr/\w/,
'type' => 'catAndAppList' 'type' => 'catAndAppList'
}, },
'authChoiceAuthBasic' => {
'type' => 'text'
},
'authChoiceModules' => { 'authChoiceModules' => {
'keyMsgFail' => '__badChoiceKey__', 'keyMsgFail' => '__badChoiceKey__',
'keyTest' => qr/^(\d*)?[a-zA-Z0-9_]+$/, 'keyTest' => qr/^(\d*)?[a-zA-Z0-9_]+$/,
...@@ -605,6 +608,10 @@ sub attributes { ...@@ -605,6 +608,10 @@ sub attributes {
'default' => 'TOTP,U2F,Yubikey', 'default' => 'TOTP,U2F,Yubikey',
'type' => 'text' 'type' => 'text'
}, },
'browsersDontStorePassword' => {
'default' => 0,
'type' => 'bool'
},
'bruteForceProtection' => { 'bruteForceProtection' => {
'default' => 0, 'default' => 0,
'type' => 'bool' 'type' => 'bool'
...@@ -1475,6 +1482,10 @@ qr/^(?:(?:(?:(?:[a-zA-Z0-9][-a-zA-Z0-9]*)?[a-zA-Z0-9])[.])*(?:[a-zA-Z][-a-zA-Z0- ...@@ -1475,6 +1482,10 @@ qr/^(?:(?:(?:(?:[a-zA-Z0-9][-a-zA-Z0-9]*)?[a-zA-Z0-9])[.])*(?:[a-zA-Z][-a-zA-Z0-
'default' => 0, 'default' => 0,
'type' => 'bool' 'type' => 'bool'
}, },
'ldapITDS' => {
'default' => 0,
'type' => 'bool'
},
'ldapPasswordResetAttribute' => { 'ldapPasswordResetAttribute' => {
'default' => 'pwdReset', 'default' => 'pwdReset',
'type' => 'text' 'type' => 'text'
...@@ -2255,6 +2266,22 @@ qr/^(?:\*\.)?(?:(?:(?:(?:[a-zA-Z0-9][-a-zA-Z0-9]*)?[a-zA-Z0-9])[.])*(?:[a-zA-Z][ ...@@ -2255,6 +2266,22 @@ qr/^(?:\*\.)?(?:(?:(?:(?:[a-zA-Z0-9][-a-zA-Z0-9]*)?[a-zA-Z0-9])[.])*(?:[a-zA-Z][
], ],
'type' => 'select' 'type' => 'select'
}, },
'passwordPolicyMinDigit' => {
'default' => 0,
'type' => 'int'
},
'passwordPolicyMinLower' => {
'default' => 0,
'type' => 'int'
},
'passwordPolicyMinSize' => {
'default' => 0,
'type' => 'int'
},
'passwordPolicyMinUpper' => {
'default' => 0,
'type' => 'int'
},
'passwordResetAllowedRetries' => { 'passwordResetAllowedRetries' => {
'default' => 3, 'default' => 3,
'type' => 'int' 'type' => 'int'
...@@ -2315,6 +2342,10 @@ qr/(?:(?:https?):\/\/(?:(?:(?:(?:(?:(?:[a-zA-Z0-9][-a-zA-Z0-9]*)?[a-zA-Z0-9])[.] ...@@ -2315,6 +2342,10 @@ qr/(?:(?:https?):\/\/(?:(?:(?:(?:(?:(?:[a-zA-Z0-9][-a-zA-Z0-9]*)?[a-zA-Z0-9])[.]
'default' => '$_oidcConnectedRP', 'default' => '$_oidcConnectedRP',
'type' => 'boolOrExpr' 'type' => 'boolOrExpr'
}, },
'portalDisplayPasswordPolicy' => {
'default' => 0,
'type' => 'bool'
},
'portalDisplayRegister' => { 'portalDisplayRegister' => {
'default' => 1, 'default' => 1,
'type' => 'bool' 'type' => 'bool'
...@@ -2609,6 +2640,10 @@ qr/(?:(?:https?):\/\/(?:(?:(?:(?:(?:(?:[a-zA-Z0-9][-a-zA-Z0-9]*)?[a-zA-Z0-9])[.] ...@@ -2609,6 +2640,10 @@ qr/(?:(?:https?):\/\/(?:(?:(?:(?:(?:(?:[a-zA-Z0-9][-a-zA-Z0-9]*)?[a-zA-Z0-9])[.]
'restAuthUrl' => { 'restAuthUrl' => {
'type' => 'url' 'type' => 'url'
}, },
'restClockTolerance' => {
'default' => 15,
'type' => 'int'
},
'restConfigServer' => { 'restConfigServer' => {
'default' => 0, 'default' => 0,
'type' => 'bool' 'type' => 'bool'
......
...@@ -877,6 +877,11 @@ sub attributes { ...@@ -877,6 +877,11 @@ sub attributes {
default => '^[\w\.\-@]+$', default => '^[\w\.\-@]+$',
documentation => 'Regular expression to validate login', documentation => 'Regular expression to validate login',
}, },
browsersDontStorePassword => {
default => 0,
type => 'bool',
documentation => 'Avoid browsers to store users password',
},
useRedirectOnError => { useRedirectOnError => {
type => 'bool', type => 'bool',
default => 1, default => 1,
...@@ -1297,6 +1302,31 @@ sub attributes { ...@@ -1297,6 +1302,31 @@ sub attributes {
type => 'bool', type => 'bool',
documentation => 'Hide old password in portal', documentation => 'Hide old password in portal',
}, },
passwordPolicyMinSize => {
default => 0,
type => 'int',
documentation => 'Password policy: minimal size',
},
passwordPolicyMinLower => {
default => 0,
type => 'int',
documentation => 'Password policy: minimal lower characters',
},
passwordPolicyMinUpper => {
default => 0,
type => 'int',
documentation => 'Password policy: minimal upper characters',
},
passwordPolicyMinDigit => {
default => 0,
type => 'int',
documentation => 'Password policy: minimal digit characters',
},
portalDisplayPasswordPolicy => {
default => 0,
type => 'bool',
documentation => 'Display policy in password form',
},
# SMTP server # SMTP server
SMTPServer => { SMTPServer => {
...@@ -1798,6 +1828,12 @@ sub attributes { ...@@ -1798,6 +1828,12 @@ sub attributes {
documentation => documentation =>
'Allow to export secret keys in REST session server', 'Allow to export secret keys in REST session server',
}, },
restClockTolerance => {
default => 15,
type => 'int',
documentation =>
'How tolerant the REST session server will be to clock dift',
},
restConfigServer => { restConfigServer => {
default => 0, default => 0,
type => 'bool', type => 'bool',
...@@ -2970,6 +3006,11 @@ m{^(?:ldapi://[^/]*/?|\w[\w\-\.]*(?::\d{1,5})?|ldap(?:s|\+tls)?://\w[\w\-\.]*(?: ...@@ -2970,6 +3006,11 @@ m{^(?:ldapi://[^/]*/?|\w[\w\-\.]*(?::\d{1,5})?|ldap(?:s|\+tls)?://\w[\w\-\.]*(?:
type => 'bool', type => 'bool',
documentation => 'Allow a user to reset his expired password', documentation => 'Allow a user to reset his expired password',
}, },
ldapITDS => {
default => 0,
type => 'bool',
documentation => 'Support for IBM Tivoli Directory Server',
},
# SSL # SSL
SSLAuthnLevel => { SSLAuthnLevel => {
...@@ -3298,6 +3339,10 @@ m{^(?:ldapi://[^/]*/?|\w[\w\-\.]*(?::\d{1,5})?|ldap(?:s|\+tls)?://\w[\w\-\.]*(?: ...@@ -3298,6 +3339,10 @@ m{^(?:ldapi://[^/]*/?|\w[\w\-\.]*(?::\d{1,5})?|ldap(?:s|\+tls)?://\w[\w\-\.]*(?:
default => 'lmAuth', default => 'lmAuth',
documentation => 'Applications list', documentation => 'Applications list',
}, },
authChoiceAuthBasic => {
type => 'text',
documentation => 'Auth module used by AuthBasic handler',
},
authChoiceModules => { authChoiceModules => {
type => 'authChoiceContainer', type => 'authChoiceContainer',
keyTest => qr/^(\d*)?[a-zA-Z0-9_]+$/, keyTest => qr/^(\d*)?[a-zA-Z0-9_]+$/,
......
...@@ -85,7 +85,12 @@ sub tree { ...@@ -85,7 +85,12 @@ sub tree {
nodes => [ nodes => [
'portalRequireOldPassword', 'portalRequireOldPassword',
'hideOldPassword', 'hideOldPassword',
'mailOnPasswordChange' 'mailOnPasswordChange',
'passwordPolicyMinSize',
'passwordPolicyMinLower',
'passwordPolicyMinUpper',
'passwordPolicyMinDigit',
'portalDisplayPasswordPolicy',
] ]
}, },
{ {
...@@ -134,7 +139,7 @@ sub tree { ...@@ -134,7 +139,7 @@ sub tree {
{ {
title => 'choiceParams', title => 'choiceParams',
help => 'authchoice.html', help => 'authchoice.html',
nodes => [ 'authChoiceParam', 'authChoiceModules' ] nodes => [ 'authChoiceParam', 'authChoiceModules', 'authChoiceAuthBasic' ]
}, },
{ {
title => 'apacheParams', title => 'apacheParams',
...@@ -286,7 +291,8 @@ sub tree { ...@@ -286,7 +291,8 @@ sub tree {
'ldapUsePasswordResetAttribute', 'ldapUsePasswordResetAttribute',
'ldapPasswordResetAttribute', 'ldapPasswordResetAttribute',
'ldapPasswordResetAttributeValue', 'ldapPasswordResetAttributeValue',
'ldapAllowResetExpiredPassword' 'ldapAllowResetExpiredPassword',
'ldapITDS'
] ]
}, },
] ]
...@@ -587,9 +593,9 @@ sub tree { ...@@ -587,9 +593,9 @@ sub tree {
form => 'simpleInputContainer', form => 'simpleInputContainer',
nodes => [ nodes => [
'wsdlServer', 'restSessionServer', 'wsdlServer', 'restSessionServer',
'restExportSecretKeys', 'restConfigServer', 'restExportSecretKeys', 'restClockTolerance',
'soapSessionServer', 'soapConfigServer', 'restConfigServer', 'soapSessionServer',
'exportedAttr', 'soapConfigServer', 'exportedAttr',
] ]
}, },
{ {
...@@ -868,6 +874,7 @@ sub tree { ...@@ -868,6 +874,7 @@ sub tree {
help => 'security.html#configure_security_settings', help => 'security.html#configure_security_settings',
nodes => [ nodes => [
'userControl', 'userControl',
'browsersDontStorePassword',
'portalForceAuthn', 'portalForceAuthn',
'portalForceAuthnInterval', 'portalForceAuthnInterval',
'key', 'key',
......