Commit 09281f8d authored by Christophe Maudoux's avatar Christophe Maudoux

Append identities rule and fix error catching (#1664)

parent bea84c88
......@@ -71,6 +71,7 @@ sub defaultValues {
'httpOnly' => 1,
'https' => -1,
'impersonationHiddenAttributes' => '_2fDevices _loginHistory',
'impersonationIdRule' => 1,
'impersonationPrefix' => 'real_',
'impersonationRule' => 0,
'impersonationSkipEmptyValues' => 1,
......
......@@ -1199,6 +1199,21 @@ qr/^(?:\*\.)?(?:(?:(?:(?:[a-zA-Z0-9][-a-zA-Z0-9]*)?[a-zA-Z0-9])[.])*(?:[a-zA-Z][
'default' => '_2fDevices _loginHistory',
'type' => 'text'
},
'impersonationIdRule' => {
'default' => 1,
'test' => sub {
my ( $val, $conf ) = @_;
my $s = '';
'Safe'->new->reval("BEGIN { warnings->unimport; } $s $val");
my $err = join(
'',
grep( { $_ =~ /Undefined subroutine/ ? () : $_; }
split( /\n/, $@, 0 ) )
);
return $err ? ( 1, "__badExpression__: $err" ) : 1;
},
'type' => 'text'
},
'impersonationMergeSSOgroups' => {
'default' => 0,
'type' => 'bool'
......
......@@ -457,6 +457,12 @@ sub attributes {
default => 0,
documentation => 'Impersonation activation rule',
},
impersonationIdRule => {
type => 'text',
test => $perlExpr,
default => 1,
documentation => 'Impersonation identity rule',
},
impersonationHiddenAttributes => {
type => 'text',
default => '_2fDevices _loginHistory',
......
......@@ -653,6 +653,7 @@ sub tree {
form => 'simpleInputContainer',
nodes => [
'impersonationRule',
'impersonationIdRule',
'impersonationPrefix',
'impersonationHiddenAttributes',
'impersonationSkipEmptyValues',
......
......@@ -288,6 +288,7 @@
"https":"إتش تي تي بي س",
"impersonation":"Impersonation",
"impersonationRule":"Use rule",
"impersonationIdRule":"Identities use rule",
"impersonationHiddenAttributes":"Hidden attributes",
"impersonationMergeSSOgroups":"Merge spoofed and real SSO groups",
"impersonationPrefix":"Real attributes prefix",
......
......@@ -288,6 +288,7 @@
"https":"HTTPS",
"impersonation":"Impersonation",
"impersonationRule":"Use rule",
"impersonationIdRule":"Identities use rule",
"impersonationHiddenAttributes":"Hidden attributes",
"impersonationMergeSSOgroups":"Merge spoofed and real SSO groups",
"impersonationPrefix":"Real attributes prefix",
......
......@@ -288,6 +288,7 @@
"https":"HTTPS",
"impersonation":"Impersonation",
"impersonationRule":"Use rule",
"impersonationIdRule":"Identities use rule",
"impersonationHiddenAttributes":"Hidden attributes",
"impersonationMergeSSOgroups":"Merge spoofed and real SSO groups",
"impersonationPrefix":"Real attributes prefix",
......
......@@ -288,6 +288,7 @@
"https":"HTTPS",
"impersonation":"Usurpation d'identité",
"impersonationRule":"Règle d'utilisation",
"impersonationIdRule":"Règle d'utilisation des identités",
"impersonationHiddenAttributes":"Attributs masqués",
"impersonationMergeSSOgroups":"Fusionner les groupes SSO réels et usurpés",
"impersonationPrefix":"Préfix des vrais attributs",
......
......@@ -288,6 +288,7 @@
"https":"HTTPS",
"impersonation":"Impersonation",
"impersonationRule":"Use rule",
"impersonationIdRule":"Identities use rule",
"impersonationHiddenAttributes":"Hidden attributes",
"impersonationMergeSSOgroups":"Merge spoofed and real SSO groups",
"impersonationPrefix":"Real attributes prefix",
......
......@@ -288,6 +288,7 @@
"https":"HTTPS",
"impersonation":"Impersonation",
"impersonationRule":"Use rule",
"impersonationIdRule":"Identities use rule",
"impersonationHiddenAttributes":"Hidden attributes",
"impersonationMergeSSOgroups":"Merge spoofed and real SSO groups",
"impersonationPrefix":"Real attributes prefix",
......
......@@ -288,6 +288,7 @@
"https":"HTTPS",
"impersonation":"Impersonation",
"impersonationRule":"Use rule",
"impersonationIdRule":"Identities use rule",
"impersonationHiddenAttributes":"Hidden attributes",
"impersonationMergeSSOgroups":"Merge spoofed and real SSO groups",
"impersonationPrefix":"Real attributes prefix",
......
This source diff could not be displayed because it is too large. You can view the blob instead.
......@@ -13,7 +13,8 @@ extends 'Lemonldap::NG::Portal::Main::Plugin';
use constant endAuth => 'run';
has rule => ( is => 'rw', default => sub { 1 } );
has rule => ( is => 'rw', default => sub { 1 } );
has idRule => ( is => 'rw', default => sub { 1 } );
sub hAttr {
$_[0]->{conf}->{impersonationHiddenAttributes} . ' '
......@@ -22,11 +23,11 @@ sub hAttr {
sub init {
my ($self) = @_;
my $hd = $self->p->HANDLER;
# Parse activation rule
my $hd = $self->p->HANDLER;
$self->logger->debug(
"impersonation rule -> " . $self->conf->{impersonationRule} );
"Impersonation rule -> " . $self->conf->{impersonationRule} );
my $rule =
$hd->buildSub( $hd->substitute( $self->conf->{impersonationRule} ) );
unless ($rule) {
......@@ -34,6 +35,19 @@ sub init {
return 0;
}
$self->{rule} = $rule;
# Parse identity rule
$self->logger->debug( "Impersonation identity rule -> "
. $self->conf->{impersonationIdRule} );
$rule =
$hd->buildSub( $hd->substitute( $self->conf->{impersonationIdRule} ) );
unless ($rule) {
$self->error(
"Bad impersonation identity rule -> " . $hd->tsv->{jail}->error );
return 0;
}
$self->{idRule} = $rule;
return 1;
}
......@@ -74,6 +88,9 @@ sub run {
}
$req->{user} = $spoofId;
$spoofSession = $self->_userDatas($req);
return $req->error if $req->error;
$spoofSession->{groups} ||= '';
# Merging SSO groups and hGroups & Dedup
......@@ -133,6 +150,18 @@ sub _userDatas {
$self->logger->debug("Process returned error: $error");
return $req->error($error);
}
# Check identity rule
unless ( $self->idRule->( $req, $req->sessionInfo ) ) {
$self->userLogger->warn(
'Impersonation requested for an unvalid user ('
. $req->{user}
. ")" );
$self->logger->debug('Identity not authorized');
return $req->error(PE_BADCREDENTIALS);
}
$self->logger->debug("Populating spoofed session...");
return $req->{sessionInfo};
}
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment