Commit 30148caf authored by Christophe Maudoux's avatar Christophe Maudoux

WIP - checkUser hide secret attributes (#1658)

parent c3255e1e
......@@ -29,6 +29,7 @@ sub defaultValues {
'casAuthnLevel' => 1,
'checkTime' => 600,
'checkUser' => 1,
'checkUserHiddenAttributes' => 'UA',
'checkXSS' => 1,
'confirmFormMethod' => 'post',
'cookieName' => 'lemonldap',
......
......@@ -771,6 +771,10 @@ qr/(?:(?:https?):\/\/(?:(?:(?:(?:(?:(?:[a-zA-Z0-9][-a-zA-Z0-9]*)?[a-zA-Z0-9])[.]
'default' => 1,
'type' => 'bool'
},
'checkUserHiddenAttributes' => {
'default' => 'UA',
'type' => 'text'
},
'checkXSS' => {
'default' => 1,
'type' => 'bool'
......
......@@ -584,6 +584,12 @@ sub attributes {
documentation => 'Enable Check user',
flags => 'p',
},
checkUserHiddenAttributes => {
type => 'text',
default => 'UA',
documentation => 'Attributes to hide in CheckUser plugin',
flags => 'p',
},
checkXSS => {
default => 1,
type => 'bool',
......
......@@ -27,6 +27,10 @@ has ott => (
}
);
sub hAttr {
$_[0]->{conf}->{checkUserHiddenAttributes} . ' ' . $_[0]->{conf}->{hiddenAttributes} ;
}
sub init {
my ($self) = @_;
$self->addAuthRoute( checkuser => 'check', [ 'GET', 'POST' ] );
......@@ -37,9 +41,10 @@ sub init {
sub check {
my ( $self, $req ) = @_;
my ( $hdrs, $attrs, $array_attrs, $array_hdrs ) = ( {}, {}, [],[] );
my $msg = 'checkUser';
my $auth = 0;
my ( $hdrs, $attrs, $array_attrs, $array_hdrs ) = ( {}, {}, [], [] );
my $msg = 'checkUser';
my $result = '';
my $auth = 0;
## Check user attributes
# Use submitted attribute if exists
......@@ -56,12 +61,12 @@ sub check {
# Create an array of hashes for template loop
while ( my ( $k, $v ) = each %$attrs ) {
push @$array_attrs, { key => $k, value => $v };
##### TODO -> DELETE hidden attributes
# Ignore hidden attributes
push @$array_attrs, { key => $k, value => $v } unless ( $self->hAttr =~ /\b$k\b/ );
}
@$array_attrs = sort { $a->{key} cmp $b->{key} } @$array_attrs;
$self->logger->debug( "******** " . Dumper($array_attrs) );
# Check if user is allowed to access submitted URL and compute headers
......@@ -71,7 +76,7 @@ sub check {
$auth = $self->_authorized( $req, $url );
$self->logger->debug(
"checkUser requested for user: $req->{user} and URL: $url");
my $result = $auth ? "ALLOWED" : "FORBIDDEN";
$result = $auth ? "ALLOWED" : "FORBIDDEN";
$self->userLogger->notice(
"checkUser -> $req->{user} is $result to access: $url");
......@@ -82,7 +87,7 @@ sub check {
}
$self->logger->debug( "+++++++++++++ " . Dumper($array_hdrs) );
}
# Display form
......@@ -96,7 +101,7 @@ sub check {
MSG => $msg,
LOGIN => $req->{user},
URL => $url,
ALLOWED => $auth,
ALLOWED => $result,
HEADERS => $array_hdrs,
ATTRIBUTES => $array_attrs,
}
......@@ -110,7 +115,8 @@ sub _attributes {
$req->steps(
[ 'getUser', 'setSessionInfo',
'setMacros', 'setGroups',
'setPersistentSessionInfo', 'setLocalGroups'
#'setPersistentSessionInfo', 'setLocalGroups'
'setLocalGroups'
]
);
if ( my $error = $self->p->process($req) ) {
......@@ -125,11 +131,6 @@ sub _attributes {
return $req->{sessionInfo};
}
sub _headers {
my ( $self, $req ) = @_;
return { 'HEADER1' => 'TEST' };
}
sub _authorized {
my ( $self, $req, $uri ) = @_;
......@@ -142,4 +143,9 @@ sub _authorized {
undef, $vhost );
}
sub _headers {
my ( $self, $req ) = @_;
return { 'HEADER1' => 'TEST' };
}
1;
......@@ -19,14 +19,15 @@
<th><span trspan="date">Date</span></th>
<th>
<TMPL_IF NAME="ACTION">
<span trspan="action">Action</span></th>
<span trspan="action">Action</span>
</TMPL_IF>
</th>
</tr>
</thead>
<tbody>
<TMPL_LOOP NAME="SFDEVICES">
<tr id='delete-<TMPL_VAR NAME="epoch">'>
<td class="align-middle" ><TMPL_VAR NAME="type"></td>
<td class="align-middle"><TMPL_VAR NAME="type"></td>
<td class="align-middle"><TMPL_VAR NAME="name"></td>
<td class="data-epoch"><TMPL_VAR NAME="epoch"></td>
<td>
......
......@@ -33,6 +33,54 @@
</form>
</div>
<TMPL_IF NAME="ALLOWED">
<div class="message message-positive alert"><span trspan="<TMPL_VAR NAME="ALLOWED">"></span></div>
</TMPL_IF>
<TMPL_IF NAME="HEADERS">
<div class="card mb-3 border-secondary">
<div class="card-body table-responsive">
<table class="table table-hover">
<thead>
<tr>
<th><span trspan="key">Key</span></th>
<th><span trspan="value">Value</span></th>
</tr>
</thead>
<tbody>
<TMPL_LOOP NAME="HEADERS">
<tr>
<td class="align-middle"><TMPL_VAR NAME="key"></td>
<td class="align-middle"><TMPL_VAR NAME="value"></td>
</tr>
</TMPL_LOOP>
</tbody>
</table>
</div>
</div>
</TMPL_IF>
<TMPL_IF NAME="ATTRIBUTES">
<div class="card mb-3 border-secondary">
<div class="card-body table-responsive">
<table class="table table-hover">
<thead>
<tr>
<th><span trspan="key">Key</span></th>
<th><span trspan="value">Value</span></th>
</tr>
</thead>
<tbody>
<TMPL_LOOP NAME="ATTRIBUTES">
<tr>
<td class="align-middle"><TMPL_VAR NAME="key"></td>
<td class="align-middle"><TMPL_VAR NAME="value"></td>
</tr>
</TMPL_LOOP>
</tbody>
</table>
</div>
</div>
</TMPL_IF>
<TMPL_INCLUDE NAME="footer.tpl">
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment