Commit e1fe12a9 authored by Xavier Guimard's avatar Xavier Guimard

Merge branch 'v2.0'

parents ebd4c41a e50e7d09
lemonldap-ng (2.0.6-1) unstable; urgency=medium
FastCGI / uWsgi servers require llng-lmlog.conf and llng-lua-headers.conf.
Those configuration files are now provided by lemonldap-ng-handler package
and installed in /etc/nginx/snippets directory.
-- maudoux <maudoux@localhost> Wed, 11 Sep 2019 22:47:57 +0200
lemonldap-ng (2.0.5-1) unstable; urgency=medium
This version adds some improvements in cryptographic functions. To take
......
......@@ -24,7 +24,7 @@ use constant MANAGERSECTION => "manager";
use constant SESSIONSEXPLORERSECTION => "sessionsExplorer";
use constant APPLYSECTION => "apply";
our $hashParameters = qr/^(?:(?:l(?:o(?:ca(?:lSessionStorageOption|tionRule)|goutService)|dapExportedVar|wp(?:Ssl)?Opt)|(?:(?:d(?:emo|bi)|facebook|webID)ExportedVa|exported(?:Heade|Va)|issuerDBGetParamete)r|re(?:moteGlobalStorageOption|st2f(?:Verify|Init)Arg|loadUrl)|g(?:r(?:antSessionRule|oup)|lobalStorageOption)|n(?:otificationStorageOption|ginxCustomHandler)|macro)s|o(?:idc(?:RPMetaData(?:(?:Option(?:sExtraClaim)?|ExportedVar)s|Node)|OPMetaData(?:(?:ExportedVar|Option)s|J(?:SON|WKS)|Node)|S(?:erviceMetaDataAuthnContext|torageOptions))|penIdExportedVars)|s(?:aml(?:S(?:PMetaData(?:(?:ExportedAttribute|Option)s|Node|XML)|torageOptions)|IDPMetaData(?:(?:ExportedAttribute|Option)s|Node|XML))|essionDataToRemember|laveExportedVars|fExtra)|c(?:as(?:S(?:rvMetaData(?:(?:ExportedVar|Option)s|Node)|torageOptions)|A(?:ppMetaData(?:(?:ExportedVar|Option)s|Node)|ttributes))|(?:ustomAddParam|ombModule)s)|p(?:ersistentStorageOptions|o(?:rtalSkinRules|st))|a(?:ut(?:hChoiceMod|oSigninR)ules|pplicationList)|v(?:hostOptions|irtualHost)|S(?:MTPTLSOpts|SLVarIf))$/;
our $boolKeys = qr/^(?:s(?:aml(?:IDP(?:MetaDataOptions(?:(?:Check(?:S[LS]OMessageSignatur|Audienc|Tim)|IsPassiv)e|A(?:llow(?:LoginFromIDP|ProxiedAuthn)|daptSessionUtime)|Force(?:Authn|UTF8)|StoreSAMLToken|RelayStateURL)|SSODescriptorWantAuthnRequestsSigned)|S(?:P(?:MetaDataOptions(?:(?:CheckS[LS]OMessageSignatur|OneTimeUs)e|EnableIDPInitiatedURL|ForceUTF8)|SSODescriptor(?:WantAssertion|AuthnRequest)sSigned)|erviceUseCertificateInResponse)|DiscoveryProtocol(?:Activation|IsPassive)|CommonDomainCookieActivation|UseQueryStringSpecific|MetadataForceUTF8)|ingle(?:Session(?:UserByIP)?|(?:UserBy)?IP)|oap(?:Session|Config)Server|t(?:ayConnecte|orePasswor)d|kipRenewConfirmation|fRemovedUseNotif|howLanguages|slByAjax)|o(?:idc(?:ServiceAllow(?:(?:AuthorizationCode|Implicit|Hybrid)Flow|DynamicRegistration)|RPMetaDataOptions(?:LogoutSessionRequired|BypassConsent|RequirePKCE|Public)|OPMetaDataOptions(?:(?:CheckJWTSignatur|UseNonc)e|StoreIDToken))|ldNotifFormat)|p(?:ortal(?:Display(?:Re(?:setPassword|gister)|PasswordPolicy)|ErrorOn(?:ExpiredSession|MailNotFound)|(?:CheckLogin|Statu)s|OpenLinkInNewWindow|RequireOldPassword|ForceAuthn|AntiFrame)|roxyUseSoap)|c(?:a(?:ptcha_(?:register|login|mail)_enabled|sSrvMetaDataOptions(?:Gateway|Renew))|heck(?:User(?:Display(?:PersistentInfo|EmptyValues))?|State|XSS)|o(?:ntextSwitchingStopWithLogout|rsEnabled)|da)|l(?:dap(?:(?:Group(?:DecodeSearchedValu|Recursiv)|UsePasswordResetAttribut)e|(?:AllowResetExpired|Set)Password|ChangePasswordAsUser|PpolicyControl|ITDS)|oginHistoryEnabled)|i(?:ssuerDB(?:OpenID(?:Connect)?|SAML|CAS|Get)Activation|mpersonationSkipEmptyValues)|no(?:tif(?:ication(?:Server(?:(?:POS|GE)T|DELETE)?)?|y(?:Deleted|Other))|AjaxHook)|to(?:tp2f(?:UserCan(?:Chang|Remov)eKey|DisplayExistingSecret)|kenUseGlobalStorage)|u(?:se(?:RedirectOn(?:Forbidden|Error)|SafeJail)|2fUserCanRemoveKey|pgradeSession)|d(?:isablePersistentStorage|biDynamicHashEnabled|ontCompactConf)|(?:mai(?:lOnPasswordChang|ntenanc)|vhostMaintenanc)e|rest(?:(?:Session|Config)Server|ExportSecretKeys)|br(?:owsersDontStorePassword|uteForceProtection)|h(?:ideOldPassword|ttpOnly)|yubikey2fUserCanRemoveKey|(?:activeTim|wsdlServ)er|krb(?:RemoveDomain|ByJs))$/;
our $boolKeys = qr/^(?:s(?:aml(?:IDP(?:MetaDataOptions(?:(?:Check(?:S[LS]OMessageSignatur|Audienc|Tim)|IsPassiv)e|A(?:llow(?:LoginFromIDP|ProxiedAuthn)|daptSessionUtime)|Force(?:Authn|UTF8)|StoreSAMLToken|RelayStateURL)|SSODescriptorWantAuthnRequestsSigned)|S(?:P(?:MetaDataOptions(?:(?:CheckS[LS]OMessageSignatur|OneTimeUs)e|EnableIDPInitiatedURL|ForceUTF8)|SSODescriptor(?:WantAssertion|AuthnRequest)sSigned)|erviceUseCertificateInResponse)|DiscoveryProtocol(?:Activation|IsPassive)|CommonDomainCookieActivation|UseQueryStringSpecific|MetadataForceUTF8)|ingle(?:Session(?:UserByIP)?|(?:UserBy)?IP)|oap(?:Session|Config)Server|t(?:ayConnecte|orePasswor)d|kipRenewConfirmation|fRemovedUseNotif|howLanguages|slByAjax)|o(?:idc(?:ServiceAllow(?:(?:AuthorizationCode|Implicit|Hybrid)Flow|DynamicRegistration)|RPMetaDataOptions(?:LogoutSessionRequired|BypassConsent|RequirePKCE|Public)|OPMetaDataOptions(?:(?:CheckJWTSignatur|UseNonc)e|StoreIDToken))|ldNotifFormat)|p(?:ortal(?:Display(?:Re(?:setPassword|gister)|GeneratePassword|PasswordPolicy)|ErrorOn(?:ExpiredSession|MailNotFound)|(?:CheckLogin|Statu)s|OpenLinkInNewWindow|RequireOldPassword|ForceAuthn|AntiFrame)|roxyUseSoap)|c(?:a(?:ptcha_(?:register|login|mail)_enabled|sSrvMetaDataOptions(?:Gateway|Renew))|heck(?:User(?:Display(?:PersistentInfo|EmptyValues))?|State|XSS)|o(?:ntextSwitchingStopWithLogout|rsEnabled)|da)|l(?:dap(?:(?:Group(?:DecodeSearchedValu|Recursiv)|UsePasswordResetAttribut)e|(?:AllowResetExpired|Set)Password|ChangePasswordAsUser|PpolicyControl|ITDS)|oginHistoryEnabled)|i(?:ssuerDB(?:OpenID(?:Connect)?|SAML|CAS|Get)Activation|mpersonationSkipEmptyValues)|no(?:tif(?:ication(?:Server(?:(?:POS|GE)T|DELETE)?)?|y(?:Deleted|Other))|AjaxHook)|to(?:tp2f(?:UserCan(?:Chang|Remov)eKey|DisplayExistingSecret)|kenUseGlobalStorage)|u(?:se(?:RedirectOn(?:Forbidden|Error)|SafeJail)|2fUserCanRemoveKey|pgradeSession)|d(?:isablePersistentStorage|biDynamicHashEnabled|ontCompactConf)|(?:mai(?:lOnPasswordChang|ntenanc)|vhostMaintenanc)e|rest(?:(?:Session|Config)Server|ExportSecretKeys)|br(?:owsersDontStorePassword|uteForceProtection)|h(?:ideOldPassword|ttpOnly)|yubikey2fUserCanRemoveKey|(?:activeTim|wsdlServ)er|krb(?:RemoveDomain|ByJs))$/;
our @sessionTypes = ( 'remoteGlobal', 'global', 'localSession', 'persistent', 'saml', 'oidc', 'cas' );
......
......@@ -210,29 +210,30 @@ sub defaultValues {
'portalAntiFrame' => 1,
'portalCheckLogins' => 1,
'portalDisplayAppslist' => 1,
'portalDisplayChangePassword' => '$_auth =~ /^(LDAP|DBI|Demo)$/',
'portalDisplayFavApps' => 1,
'portalDisplayLoginHistory' => 1,
'portalDisplayLogout' => 1,
'portalDisplayOidcConsents' => '$_oidcConnectedRP',
'portalDisplayRegister' => 1,
'portalErrorOnExpiredSession' => 1,
'portalForceAuthnInterval' => 5,
'portalMainLogo' => 'common/logos/logo_llng_400px.png',
'portalPingInterval' => 60000,
'portalRequireOldPassword' => 1,
'portalSkin' => 'bootstrap',
'portalUserAttr' => '_user',
'proxyAuthnLevel' => 2,
'radius2fActivation' => 0,
'radius2fTimeout' => 20,
'radiusAuthnLevel' => 3,
'randomPasswordRegexp' => '[A-Z]{3}[a-z]{5}.\\d{2}',
'redirectFormMethod' => 'get',
'registerDB' => 'Null',
'registerTimeout' => 0,
'registerUrl' => 'http://auth.example.com/register',
'reloadTimeout' => 5,
'portalDisplayChangePassword' => '$_auth =~ /^(LDAP|DBI|Demo)$/',
'portalDisplayFavApps' => 1,
'portalDisplayGeneratePassword' => 1,
'portalDisplayLoginHistory' => 1,
'portalDisplayLogout' => 1,
'portalDisplayOidcConsents' => '$_oidcConnectedRP',
'portalDisplayRegister' => 1,
'portalErrorOnExpiredSession' => 1,
'portalForceAuthnInterval' => 5,
'portalMainLogo' => 'common/logos/logo_llng_400px.png',
'portalPingInterval' => 60000,
'portalRequireOldPassword' => 1,
'portalSkin' => 'bootstrap',
'portalUserAttr' => '_user',
'proxyAuthnLevel' => 2,
'radius2fActivation' => 0,
'radius2fTimeout' => 20,
'radiusAuthnLevel' => 3,
'randomPasswordRegexp' => '[A-Z]{3}[a-z]{5}.\\d{2}',
'redirectFormMethod' => 'get',
'registerDB' => 'Null',
'registerTimeout' => 0,
'registerUrl' => 'http://auth.example.com/register',
'reloadTimeout' => 5,
'remoteGlobalStorage' => 'Lemonldap::NG::Common::Apache::Session::SOAP',
'remoteGlobalStorageOptions' => {
'ns' =>
......
......@@ -423,7 +423,7 @@ sub fetchId {
$value = $class->tsv->{cipher}->decrypt($value);
unless ( $value =~ s/^(.*)? (.*)$/$1/ and $2 eq $vhost ) {
$class->userLogger->error(
"Bad CDA cookie: available for $2 instead od $vhost");
"Bad CDA cookie: available for $2 instead of $vhost");
return undef;
}
}
......
......@@ -54,13 +54,14 @@ sub _run {
# auth_request_set $headervalue1 $upstream_http_headervalue1;
# #proxy_set_header $headername1 $headervalue1;
# # OR
# #fastcgi_param $fheadername1 $headervalue1;
# #fastcgi_param $headername1 $headervalue1;
#
# LLNG::Handler::Server::Main add also a header called Lm-Remote-User set to
# whatToTrace value that can be used in Nginx virtualhost configuration to
# insert user id in logs
# LLNG::Handler::Server::Main add also headers called Lm-Remote-User set to
# whatToTrace value and Lm-Remote-Custom that can be used in Nginx virtualhosts configuration to
# insert user id and a custom value in logs
#
# auth_request_set $llremoteuser $upstream_http_lm_remote_user
# auth_request_set $lmremote_user $upstream_http_lm_remote_user
# auth_request_set $lmremote_custom $upstream_http_lm_remote_custom
#
#@param $req Lemonldap::NG::Common::PSGI::Request
sub handler {
......
......@@ -2330,6 +2330,10 @@ qr/(?:(?:https?):\/\/(?:(?:(?:(?:(?:(?:[a-zA-Z0-9][-a-zA-Z0-9]*)?[a-zA-Z0-9])[.]
'default' => 1,
'type' => 'boolOrExpr'
},
'portalDisplayGeneratePassword' => {
'default' => 1,
'type' => 'bool'
},
'portalDisplayLoginHistory' => {
'default' => 1,
'type' => 'boolOrExpr'
......
......@@ -978,6 +978,12 @@ sub attributes {
default => '$_oidcConnectedRP',
documentation => 'Display OIDC consent tab in portal',
},
portalDisplayGeneratePassword => {
default => 1,
type => 'bool',
documentation =>
'Display password generate box in reset password form',
},
# Cookies
cookieExpiration => {
......
......@@ -91,6 +91,7 @@ sub tree {
'passwordPolicyMinUpper',
'passwordPolicyMinDigit',
'portalDisplayPasswordPolicy',
'portalDisplayGeneratePassword',
]
},
{
......@@ -139,7 +140,10 @@ sub tree {
{
title => 'choiceParams',
help => 'authchoice.html',
nodes => [ 'authChoiceParam', 'authChoiceModules', 'authChoiceAuthBasic' ]
nodes => [
'authChoiceParam', 'authChoiceModules',
'authChoiceAuthBasic'
]
},
{
title => 'apacheParams',
......
......@@ -653,6 +653,7 @@
"portalDisplayAppslist":"قائمة التطبيقات",
"portalDisplayFavApps":"Activation rule",
"portalDisplayChangePassword":"تغيير كلمة المرور",
"portalDisplayGeneratePassword":"Display generate password box",
"portalDisplayLoginHistory":"سجل تسجيل الدخول",
"portalDisplayLogout":"تسجيل الخروج",
"portalDisplayPasswordPolicy":"Display policy in password form",
......@@ -1063,4 +1064,4 @@
"samlRelayStateTimeout":"تناوب حالة مهلة الجلسة ",
"samlUseQueryStringSpecific":"استخدام أسلوب query_string المعين",
"samlOverrideIDPEntityID":"Override Entity ID when acting as IDP"
}
\ No newline at end of file
}
......@@ -652,6 +652,7 @@
"portalDisplayAppslist":"Applications list",
"portalDisplayFavApps":"Activation rule",
"portalDisplayChangePassword":"Password change",
"portalDisplayGeneratePassword":"Display generate password box",
"portalDisplayLoginHistory":"Login History",
"portalDisplayLogout":"Logout",
"portalDisplayPasswordPolicy":"Display policy in password form",
......@@ -1062,4 +1063,4 @@
"samlRelayStateTimeout":"RelayState session timeout",
"samlUseQueryStringSpecific":"Use specific query_string method",
"samlOverrideIDPEntityID":"Override Entity ID when acting as IDP"
}
\ No newline at end of file
}
......@@ -652,6 +652,7 @@
"portalDisplayAppslist":"Applications list",
"portalDisplayFavApps":"Activation rule",
"portalDisplayChangePassword":"Password change",
"portalDisplayGeneratePassword":"Display generate password box",
"portalDisplayLoginHistory":"Login History",
"portalDisplayLogout":"Logout",
"portalDisplayPasswordPolicy": "Display policy in password form",
......
......@@ -652,6 +652,7 @@
"portalDisplayAppslist":"Liste des applications",
"portalDisplayFavApps":"Règle d'utilisation",
"portalDisplayChangePassword":"Changement de mot de passe",
"portalDisplayGeneratePassword":"Afficher la boite de génération du mot de passe",
"portalDisplayLoginHistory":"Historique des connexions",
"portalDisplayLogout":"Déconnexion",
"portalDisplayPasswordPolicy": "Afficher la politique dans le formulaire de mot de passe",
......
......@@ -652,6 +652,7 @@
"portalDisplayAppslist":"Lista delle applicazioni",
"portalDisplayFavApps":"Activation rule",
"portalDisplayChangePassword":"Cambio password",
"portalDisplayGeneratePassword":"Display generate password box",
"portalDisplayLoginHistory":"Cronologia login",
"portalDisplayLogout":"Logout",
"portalDisplayPasswordPolicy":"Display policy in password form",
......@@ -1062,4 +1063,4 @@
"samlRelayStateTimeout":"Timeout di sessione di RelayState",
"samlUseQueryStringSpecific":"Utilizza il metodo specifico query_string",
"samlOverrideIDPEntityID":"Sostituisci l'ID entità quando agisce come IDP"
}
\ No newline at end of file
}
......@@ -652,6 +652,7 @@
"portalDisplayAppslist":"Danh sách ứng dụng",
"portalDisplayFavApps":"Activation rule",
"portalDisplayChangePassword":"Thay đổi mật khẩu",
"portalDisplayGeneratePassword":"Display generate password box",
"portalDisplayLoginHistory":"Lịch sử đăng nhập",
"portalDisplayLogout":"Đăng xuất",
"portalDisplayPasswordPolicy":"Display policy in password form",
......@@ -1062,4 +1063,4 @@
"samlRelayStateTimeout":"Thời gian hết hạn phiên RelayState ",
"samlUseQueryStringSpecific":"Sử dụng phương pháp query_string cụ thể",
"samlOverrideIDPEntityID":"Override Entity ID when acting as IDP"
}
\ No newline at end of file
}
......@@ -652,6 +652,7 @@
"portalDisplayAppslist":"Applications list",
"portalDisplayFavApps":"Activation rule",
"portalDisplayChangePassword":"Password change",
"portalDisplayGeneratePassword":"Display generate password box",
"portalDisplayLoginHistory":"Login History",
"portalDisplayLogout":"Logout",
"portalDisplayPasswordPolicy":"Display policy in password form",
......@@ -1062,4 +1063,4 @@
"samlRelayStateTimeout":"RelayState session timeout",
"samlUseQueryStringSpecific":"Use specific query_string method",
"samlOverrideIDPEntityID":"Override Entity ID when acting as IDP"
}
\ No newline at end of file
}
This source diff could not be displayed because it is too large. You can view the blob instead.
......@@ -24,6 +24,10 @@ use Lemonldap::NG::Portal::Main::Constants qw(
PE_PASSWORDFORMEMPTY
PE_PASSWORD_MISMATCH
PE_PASSWORD_OK
PE_PP_INSUFFICIENT_PASSWORD_QUALITY
PE_PP_PASSWORD_TOO_SHORT
PE_PP_PASSWORD_TOO_YOUNG
PE_PP_PASSWORD_IN_HISTORY
PE_TOKENEXPIRED
PE_USERNOTFOUND
);
......@@ -441,7 +445,10 @@ sub changePwd {
my $cpq =
$self->Lemonldap::NG::Portal::Password::Base::checkPasswordQuality(
$req->data->{newpassword} );
return $cpq unless ( $cpq == PE_OK );
unless ( $cpq == PE_OK ) {
$self->ott->setToken( $req, $req->sessionInfo );
return $cpq;
}
# Modify the password TODO: change this
# Populate $req->{user} for logging purpose
......@@ -455,7 +462,10 @@ sub changePwd {
$self->conf->{portalRequireOldPassword} = $tmp;
# Mail token can be used only one time, delete the session if all is ok
return $result unless ( $result == PE_PASSWORD_OK or $result == PE_OK );
unless ( $result == PE_PASSWORD_OK or $result == PE_OK ) {
$self->ott->setToken( $req, $req->sessionInfo );
return $result;
}
# Send mail containing the new password
$req->data->{mailAddress} ||=
......@@ -545,6 +555,8 @@ sub display {
PPOLICY_MINLOWER => $self->conf->{passwordPolicyMinLower},
PPOLICY_MINUPPER => $self->conf->{passwordPolicyMinUpper},
PPOLICY_MINDIGIT => $self->conf->{passwordPolicyMinDigit},
DISPLAY_GENERATE_PASSWORD =>
$self->conf->{portalDisplayGeneratePassword},
);
if ( $req->data->{mailToken}
and
......@@ -605,9 +617,15 @@ sub display {
$tplPrm{DISPLAY_PASSWORD_FORM} = 1;
}
# Display password change form again if passwords mismatch
# Display password change form again
# - if passwords mismatch
# - if password quality check fail
elsif ($req->error == PE_PASSWORDFORMEMPTY
|| $req->error == PE_PASSWORD_MISMATCH )
|| $req->error == PE_PASSWORD_MISMATCH
|| $req->error == PE_PP_INSUFFICIENT_PASSWORD_QUALITY
|| $req->error == PE_PP_PASSWORD_TOO_SHORT
|| $req->error == PE_PP_PASSWORD_TOO_YOUNG
|| $req->error == PE_PP_PASSWORD_IN_HISTORY )
{
$self->logger->debug('Display password form');
$tplPrm{DISPLAY_PASSWORD_FORM} = $req->sessionInfo->{pwdAllowed};
......
......@@ -145,6 +145,7 @@
<input name="confirmpassword" type="password" class="form-control" trplaceholder="confirmPwd" />
</div>
<TMPL_IF NAME="DISPLAY_GENERATE_PASSWORD">
<div class="input-group mb-3">
<div class="input-group-prepend">
<div class="input-group-text">
......@@ -155,6 +156,7 @@
<label for="reset" id="resetlabel" trspan="generatePwd">Generate the password automatically</label>
</p>
</div>
</TMPL_IF>
<button type="submit" class="btn btn-success">
<span class="fa fa-envelope-open"></span>
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment