Commit be28b60e authored by Christophe Maudoux's avatar Christophe Maudoux

Append identities rule (#1658)

parent 7e1119a8
......@@ -29,6 +29,7 @@ sub defaultValues {
'casAuthnLevel' => 1,
'checkTime' => 600,
'checkUserHiddenAttributes' => '_2fDevices _loginHistory hGroups',
'checkUserIdRule' => 1,
'checkXSS' => 1,
'confirmFormMethod' => 'post',
'cookieName' => 'lemonldap',
......
......@@ -783,6 +783,21 @@ qr/(?:(?:https?):\/\/(?:(?:(?:(?:(?:(?:[a-zA-Z0-9][-a-zA-Z0-9]*)?[a-zA-Z0-9])[.]
'default' => '_2fDevices _loginHistory hGroups',
'type' => 'text'
},
'checkUserIdRule' => {
'default' => 1,
'test' => sub {
my ( $val, $conf ) = @_;
my $s = '';
'Safe'->new->reval("BEGIN { warnings->unimport; } $s $val");
my $err = join(
'',
grep( { $_ =~ /Undefined subroutine/ ? () : $_; }
split( /\n/, $@, 0 ) )
);
return $err ? ( 1, "__badExpression__: $err" ) : 1;
},
'type' => 'text'
},
'checkXSS' => {
'default' => 1,
'type' => 'bool'
......
......@@ -422,6 +422,12 @@ sub attributes {
documentation => 'Enable check user',
flags => 'p',
},
checkUserIdRule => {
type => 'text',
test => $perlExpr,
default => 1,
documentation => 'checkUser identities rule',
},
checkUserHiddenAttributes => {
type => 'text',
default => '_2fDevices _loginHistory hGroups',
......@@ -461,7 +467,7 @@ sub attributes {
type => 'text',
test => $perlExpr,
default => 1,
documentation => 'Impersonation identity rule',
documentation => 'Impersonation identities rule',
},
impersonationHiddenAttributes => {
type => 'text',
......
......@@ -642,6 +642,7 @@ sub tree {
form => 'simpleInputContainer',
nodes => [
'checkUser',
'checkUserIdRule',
'checkUserHiddenAttributes',
'checkUserDisplayPersistentInfo',
'checkUserDisplayEmptyValues',
......
......@@ -153,6 +153,7 @@
"checkStateSecret":"Shared secret",
"checkUsers":"SSO profile Check",
"checkUser":"Activation",
"checkUserIdRule":"Identities use rule",
"checkUserHiddenAttributes":"Hidden attributes",
"checkUserDisplayPersistentInfo":"Display persistent session",
"checkUserDisplayEmptyValues":"Display empty values",
......
......@@ -152,11 +152,12 @@
"checkState":"Activation",
"checkStateSecret":"Shared secret",
"checkUsers":"SSO profile Check",
"choiceParams":"Choice parameters",
"checkUser":"Activation",
"checkUserIdRule":"Identities use rule",
"checkUserHiddenAttributes":"Hidden attributes",
"checkUserDisplayPersistentInfo":"Display persistent session",
"checkUserDisplayEmptyValues":"Display empty values",
"choiceParams":"Choice parameters",
"chooseLogo":"Choose logo",
"chooseSkin":"Choose skin",
"combination":"Combination",
......
......@@ -153,6 +153,7 @@
"checkStateSecret":"Shared secret",
"checkUsers":"SSO profile Check",
"checkUser":"Activation",
"checkUserIdRule":"Identities use rule",
"checkUserHiddenAttributes":"Hidden attributes",
"checkUserDisplayPersistentInfo":"Display persistent session",
"checkUserDisplayEmptyValues":"Display empty values",
......
......@@ -153,6 +153,7 @@
"checkStateSecret":"Secret partagé",
"checkUsers":"Vérification des profils SSO",
"checkUser":"Activation",
"checkUserIdRule":"Identities use rule",
"checkUserHiddenAttributes":"Attributs masqués",
"checkUserDisplayPersistentInfo":"Afficher les données de session persistante",
"checkUserDisplayEmptyValues":"Afficher les valeurs nulles",
......
......@@ -153,6 +153,7 @@
"checkStateSecret":"Segreto condiviso",
"checkUsers":"SSO profile Check",
"checkUser":"Activation",
"checkUserIdRule":"Identities use rule",
"checkUserHiddenAttributes":"Hidden attributes",
"checkUserDisplayPersistentInfo":"Display persistent session",
"checkUserDisplayEmptyValues":"Display empty values",
......
......@@ -151,8 +151,9 @@
"clickHereToForce":"Nhấp vào đây để bắt buộc",
"checkState":"Kích hoạt",
"checkStateSecret":"Shared secret",
"checkUsers":"Session Check",
"checkUsers":"SSO profile Check",
"checkUser":"Activation",
"checkUserIdRule":"Identities use rule",
"checkUserHiddenAttributes":"Hidden attributes",
"checkUserDisplayPersistentInfo":"Display persistent session",
"checkUserDisplayEmptyValues":"Display empty values",
......
......@@ -153,6 +153,7 @@
"checkStateSecret":"Shared secret",
"checkUsers":"SSO profile Check",
"checkUser":"Activation",
"checkUserIdRule":"Identities use rule",
"checkUserHiddenAttributes":"Hidden attributes",
"checkUserDisplayPersistentInfo":"Display persistent session",
"checkUserDisplayEmptyValues":"Display empty values",
......
This source diff could not be displayed because it is too large. You can view the blob instead.
......@@ -25,6 +25,7 @@ has ott => (
return $ott;
}
);
has idRule => ( is => 'rw', default => sub { 1 } );
sub hAttr {
$_[0]->{conf}->{checkUserHiddenAttributes} . ' '
......@@ -33,8 +34,22 @@ sub hAttr {
sub init {
my ($self) = @_;
my $hd = $self->p->HANDLER;
$self->addAuthRoute( checkuser => 'check', ['POST'] );
$self->addAuthRoute( checkuser => 'display', ['GET'] );
# Parse identity rule
$self->logger->debug(
"checkUser identities rule -> " . $self->conf->{checkUserIdRule} );
my $rule =
$hd->buildSub( $hd->substitute( $self->conf->{checkUserIdRule} ) );
unless ($rule) {
$self->error(
"Bad checkUser identities rule -> " . $hd->tsv->{jail}->error );
return 0;
}
$self->{idRule} = $rule;
return 1;
}
......@@ -91,7 +106,7 @@ sub check {
LANGS => $self->conf->{showLanguages},
MSG => 'PE' . PE_MALFORMEDUSER,
ALERTE => 'alert-warning',
LOGIN => $req->{user},
LOGIN => '',
TOKEN => (
$self->conf->{requireToken}
? $self->ott->createToken( $req->userData )
......@@ -183,8 +198,8 @@ sub check {
MSG => $msg,
ALERTE => ( $msg eq 'checkUser' ? 'alert-info' : 'alert-warning' ),
LOGIN => (
$self->p->checkXSSAttack( 'LOGIN', $req->{user} ) ? ""
: $req->{user}
$self->p->checkXSSAttack( 'LOGIN', $req->{userData}->{uid} ) ? ""
: $req->{userData}->{uid}
),
URL => (
$self->p->checkXSSAttack( 'URL', $url ) ? ""
......@@ -218,11 +233,8 @@ sub display {
LANGS => $self->conf->{showLanguages},
MSG => 'checkUser',
ALERTE => 'alert-info',
LOGIN => (
$self->p->checkXSSAttack( 'LOGIN', $req->{user} ) ? ""
: $req->{user}
),
TOKEN => (
LOGIN => '',
TOKEN => (
$self->conf->{requireToken}
? $self->ott->createToken( $req->userData )
: ''
......@@ -251,6 +263,17 @@ sub _userDatas {
$self->logger->debug("Process returned error: $error");
return $req->error($error);
}
# Check identities rule
unless ( $self->idRule->( $req, $req->sessionInfo ) ) {
$self->userLogger->warn(
'checkUser requested for an unvalid user (' . $req->{user} . ")" );
$req->{sessionInfo} = {};
$self->logger->debug('Identity not authorized');
return $req->error(PE_BADCREDENTIALS);
}
$self->logger->debug("Return \"$req->{user}\" sessionInfo");
return $req->{sessionInfo};
}
......@@ -268,6 +291,8 @@ sub _authorization {
last;
}
}
$self->logger->debug("Return \"$req->{user}\" authorization");
return $exist
? $self->p->HANDLER->grant( $req, $req->{userData}, $appuri,
undef, $vhost )
......@@ -280,6 +305,8 @@ sub _headers {
$vhost =~ s/:\d+$//;
$req->{env}->{HTTP_HOST} = $vhost;
$self->p->HANDLER->headersInit( $self->{conf} );
$self->logger->debug("Return \"$req->{user}\" headers");
return $self->p->HANDLER->checkHeaders( $req, $req->{userData} );
}
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment