...
 
Commits (32)
# debian/tests/runner launch pkg-perl-autopkgtest tests for each library
Test-Command: ./debian/tests/runner build-deps
Depends: @, @builddeps@, pkg-perl-autopkgtest, libmouse-perl
Test-Command: ./debian/tests/runner build-deps lemonldap-ng-common
Depends: liblemonldap-ng-common-perl, @builddeps@, pkg-perl-autopkgtest
Test-Command: ./debian/tests/runner runtime-deps
Depends: @, pkg-perl-autopkgtest, libmouse-perl
Test-Command: ./debian/tests/runner build-deps lemonldap-ng-handler
Depends: liblemonldap-ng-handler-perl, @builddeps@, pkg-perl-autopkgtest
Test-Command: ./debian/tests/runner build-deps lemonldap-ng-portal
Depends: liblemonldap-ng-portal-perl, @builddeps@, pkg-perl-autopkgtest
Test-Command: ./debian/tests/runner build-deps lemonldap-ng-manager
Depends: liblemonldap-ng-manager-perl, @builddeps@, pkg-perl-autopkgtest
Test-Command: ./debian/tests/runner runtime-deps lemonldap-ng-common
Depends: liblemonldap-ng-common-perl, pkg-perl-autopkgtest, libmouse-perl
Restrictions: superficial, skippable
# Disable this one: skipped
#Test-Command: ./debian/tests/runner runtime-deps lemonldap-ng-handler
#Depends: liblemonldap-ng-handler-perl, pkg-perl-autopkgtest, libmouse-perl
#Restrictions: superficial, skippable
Test-Command: ./debian/tests/runner runtime-deps lemonldap-ng-portal
Depends: liblemonldap-ng-portal-perl, pkg-perl-autopkgtest, libmouse-perl
Restrictions: superficial, skippable
Test-Command: ./debian/tests/runner runtime-deps lemonldap-ng-manager
Depends: liblemonldap-ng-manager-perl, pkg-perl-autopkgtest, libmouse-perl
Restrictions: superficial, skippable
# Use pkg-perl-autopkgtest test for runtime-deps-and-recommends
# Some portal suggested dependencies are added here
Test-Command: /usr/share/pkg-perl-autopkgtest/runner runtime-deps-and-recommends
Depends: @, @builddeps@, pkg-perl-autopkgtest, libyaml-perl, liblog-log4perl-perl, libauthen-pam-perl, libauthen-radius-perl, libweb-id-perl, libipc-run-perl
Depends: @, @builddeps@, pkg-perl-autopkgtest, libyaml-perl, liblog-log4perl-perl, libauthen-pam-perl, libauthen-radius-perl, libweb-id-perl
Restrictions: superficial
#Test-Command: ./debian/tests/runner heavy-deps
#Depends: @, pkg-perl-autopkgtest, pkg-perl-autopkgtest-heavy, libmouse-perl
......@@ -141,6 +141,10 @@
"namespace": "lemonldap-ng-sessions"
},
"locationRules": {
"auth.example.com" : {
"(?#checkUser)/checkuser" : "$uid eq \"dwho\"",
"default" : "deny"
},
"manager.example.com": {
"(?#Configuration)^/(manager\\.html|conf/)": "$uid eq \"dwho\"",
"(?#Notifications)^/notifications": "$uid eq \"dwho\" or $uid eq \"rtyler\"",
......
......@@ -28,7 +28,7 @@ sub defaultValues {
'casAccessControlPolicy' => 'none',
'casAuthnLevel' => 1,
'checkTime' => 600,
'checkUserHiddenAttributes' => 'UA _2fDevices _loginHistory',
'checkUserHiddenAttributes' => '_2fDevices _loginHistory hGroups',
'checkXSS' => 1,
'confirmFormMethod' => 'post',
'cookieName' => 'lemonldap',
......@@ -70,6 +70,10 @@ sub defaultValues {
'hiddenAttributes' => '_password',
'httpOnly' => 1,
'https' => -1,
'idSpoofingHiddenAttributes' => '_2fDevices _loginHistory',
'idSpoofingPrefix' => 'real_',
'idSpoofingRule' => 1,
'idSpoofingSkipEmptyValues' => 1,
'infoFormMethod' => 'get',
'issuerDBCASPath' => '^/cas/',
'issuerDBCASRule' => 1,
......@@ -241,6 +245,7 @@ sub defaultValues {
'samlOrganizationDisplayName' => 'Example',
'samlOrganizationName' => 'Example',
'samlOrganizationURL' => 'http://www.example.com',
'samlOverrideIDPEntityID' => '',
'samlRelayStateTimeout' => 600,
'samlServiceSignatureMethod' => 'RSA_SHA1',
'samlSPSSODescriptorArtifactResolutionServiceArtifact' =>
......
......@@ -66,7 +66,7 @@ our $issuerParameters = {
issuerDBOpenIDConnect => [qw(issuerDBOpenIDConnectActivation issuerDBOpenIDConnectPath issuerDBOpenIDConnectRule)],
issuerDBSAML => [qw(issuerDBSAMLActivation issuerDBSAMLPath issuerDBSAMLRule)],
};
our $samlServiceParameters = [qw(samlEntityID samlServicePrivateKeySig samlServicePrivateKeySigPwd samlServicePublicKeySig samlServicePrivateKeyEnc samlServicePrivateKeyEncPwd samlServicePublicKeyEnc samlServiceUseCertificateInResponse samlServiceSignatureMethod samlNameIDFormatMapEmail samlNameIDFormatMapX509 samlNameIDFormatMapWindows samlNameIDFormatMapKerberos samlAuthnContextMapPassword samlAuthnContextMapPasswordProtectedTransport samlAuthnContextMapTLSClient samlAuthnContextMapKerberos samlOrganizationDisplayName samlOrganizationName samlOrganizationURL samlSPSSODescriptorAuthnRequestsSigned samlSPSSODescriptorWantAssertionsSigned samlSPSSODescriptorSingleLogoutServiceHTTPRedirect samlSPSSODescriptorSingleLogoutServiceHTTPPost samlSPSSODescriptorSingleLogoutServiceSOAP samlSPSSODescriptorAssertionConsumerServiceHTTPArtifact samlSPSSODescriptorAssertionConsumerServiceHTTPPost samlSPSSODescriptorArtifactResolutionServiceArtifact samlIDPSSODescriptorWantAuthnRequestsSigned samlIDPSSODescriptorSingleSignOnServiceHTTPRedirect samlIDPSSODescriptorSingleSignOnServiceHTTPPost samlIDPSSODescriptorSingleSignOnServiceHTTPArtifact samlIDPSSODescriptorSingleLogoutServiceHTTPRedirect samlIDPSSODescriptorSingleLogoutServiceHTTPPost samlIDPSSODescriptorSingleLogoutServiceSOAP samlIDPSSODescriptorArtifactResolutionServiceArtifact samlAttributeAuthorityDescriptorAttributeServiceSOAP samlIdPResolveCookie samlMetadataForceUTF8 samlStorage samlStorageOptions samlRelayStateTimeout samlUseQueryStringSpecific samlCommonDomainCookieActivation samlCommonDomainCookieDomain samlCommonDomainCookieReader samlCommonDomainCookieWriter samlDiscoveryProtocolActivation samlDiscoveryProtocolURL samlDiscoveryProtocolPolicy samlDiscoveryProtocolIsPassive)];
our $samlServiceParameters = [qw(samlEntityID samlServicePrivateKeySig samlServicePrivateKeySigPwd samlServicePublicKeySig samlServicePrivateKeyEnc samlServicePrivateKeyEncPwd samlServicePublicKeyEnc samlServiceUseCertificateInResponse samlServiceSignatureMethod samlNameIDFormatMapEmail samlNameIDFormatMapX509 samlNameIDFormatMapWindows samlNameIDFormatMapKerberos samlAuthnContextMapPassword samlAuthnContextMapPasswordProtectedTransport samlAuthnContextMapTLSClient samlAuthnContextMapKerberos samlOrganizationDisplayName samlOrganizationName samlOrganizationURL samlSPSSODescriptorAuthnRequestsSigned samlSPSSODescriptorWantAssertionsSigned samlSPSSODescriptorSingleLogoutServiceHTTPRedirect samlSPSSODescriptorSingleLogoutServiceHTTPPost samlSPSSODescriptorSingleLogoutServiceSOAP samlSPSSODescriptorAssertionConsumerServiceHTTPArtifact samlSPSSODescriptorAssertionConsumerServiceHTTPPost samlSPSSODescriptorArtifactResolutionServiceArtifact samlIDPSSODescriptorWantAuthnRequestsSigned samlIDPSSODescriptorSingleSignOnServiceHTTPRedirect samlIDPSSODescriptorSingleSignOnServiceHTTPPost samlIDPSSODescriptorSingleSignOnServiceHTTPArtifact samlIDPSSODescriptorSingleLogoutServiceHTTPRedirect samlIDPSSODescriptorSingleLogoutServiceHTTPPost samlIDPSSODescriptorSingleLogoutServiceSOAP samlIDPSSODescriptorArtifactResolutionServiceArtifact samlAttributeAuthorityDescriptorAttributeServiceSOAP samlIdPResolveCookie samlMetadataForceUTF8 samlStorage samlStorageOptions samlRelayStateTimeout samlUseQueryStringSpecific samlCommonDomainCookieActivation samlCommonDomainCookieDomain samlCommonDomainCookieReader samlCommonDomainCookieWriter samlDiscoveryProtocolActivation samlDiscoveryProtocolURL samlDiscoveryProtocolPolicy samlDiscoveryProtocolIsPassive samlOverrideIDPEntityID)];
our $oidcServiceParameters = [qw(oidcServiceMetaDataIssuer oidcServiceMetaDataAuthorizeURI oidcServiceMetaDataTokenURI oidcServiceMetaDataUserInfoURI oidcServiceMetaDataJWKSURI oidcServiceMetaDataRegistrationURI oidcServiceMetaDataEndSessionURI oidcServiceMetaDataCheckSessionURI oidcServiceMetaDataFrontChannelURI oidcServiceMetaDataBackChannelURI oidcServiceMetaDataAuthnContext oidcServicePrivateKeySig oidcServicePublicKeySig oidcServiceKeyIdSig oidcServiceAllowDynamicRegistration oidcServiceAllowAuthorizationCodeFlow oidcServiceAllowImplicitFlow oidcServiceAllowHybridFlow oidcStorage oidcStorageOptions)];
1;
......@@ -41,11 +41,11 @@ sub serviceToXML {
samlOrganizationURL
);
if ($type eq 'idp') {
if ($type and $type eq 'idp') {
$template->param( 'hideSPMetadata', 1);
}
if ($type eq 'sp') {
if ($type and $type eq 'sp') {
$template->param( 'hideIDPMetadata', 1);
}
......@@ -53,6 +53,11 @@ sub serviceToXML {
$template->param( $_, $self->getValue( $_, $conf ) );
}
# When asked to provide only IDP metadata, take into account EntityID override
if ( $type eq "idp" and $conf->{samlOverrideIDPEntityID} ) {
$template->param( 'samlEntityID', $conf->{samlOverrideIDPEntityID} );
}
# Boolean parameters
my @param_boolean = qw(
samlSPSSODescriptorAuthnRequestsSigned
......
......@@ -780,7 +780,7 @@ qr/(?:(?:https?):\/\/(?:(?:(?:(?:(?:(?:[a-zA-Z0-9][-a-zA-Z0-9]*)?[a-zA-Z0-9])[.]
'type' => 'bool'
},
'checkUserHiddenAttributes' => {
'default' => 'UA _2fDevices _loginHistory',
'default' => '_2fDevices _loginHistory hGroups',
'type' => 'text'
},
'checkXSS' => {
......@@ -1195,6 +1195,26 @@ qr/^(?:\*\.)?(?:(?:(?:(?:[a-zA-Z0-9][-a-zA-Z0-9]*)?[a-zA-Z0-9])[.])*(?:[a-zA-Z][
'default' => -1,
'type' => 'trool'
},
'idSpoofing' => {
'default' => 0,
'type' => 'bool'
},
'idSpoofingHiddenAttributes' => {
'default' => '_2fDevices _loginHistory',
'type' => 'text'
},
'idSpoofingPrefix' => {
'default' => 'real_',
'type' => 'text'
},
'idSpoofingRule' => {
'default' => 1,
'type' => 'boolOrExpr'
},
'idSpoofingSkipEmptyValues' => {
'default' => 1,
'type' => 'bool'
},
'infoFormMethod' => {
'default' => 'get',
'select' => [ {
......@@ -2865,6 +2885,10 @@ qr/(?:(?:https?):\/\/(?:(?:(?:(?:(?:(?:[a-zA-Z0-9][-a-zA-Z0-9]*)?[a-zA-Z0-9])[.]
'default' => 'http://www.example.com',
'type' => 'text'
},
'samlOverrideIDPEntityID' => {
'default' => '',
'type' => 'text'
},
'samlRelayStateTimeout' => {
'default' => 600,
'type' => 'int'
......
......@@ -416,6 +416,59 @@ sub attributes {
type => 'text',
documentation => 'Secret token for CheckState plugin',
},
checkUser => {
default => 0,
type => 'bool',
documentation => 'Enable check user',
flags => 'p',
},
checkUserHiddenAttributes => {
type => 'text',
default => '_2fDevices _loginHistory hGroups',
documentation => 'Attributes to hide in CheckUser plugin',
flags => 'p',
},
checkUserDisplayPersistentInfo => {
default => 0,
type => 'bool',
documentation => 'Display persistent session info',
flags => 'p',
},
checkUserDisplayEmptyValues => {
default => 0,
type => 'bool',
documentation => 'Display session empty values',
flags => 'p',
},
idSpoofing => {
default => 0,
type => 'bool',
documentation => 'Enable IdSpoofing plugin',
flags => 'p',
},
idSpoofingPrefix => {
type => 'text',
default => 'real_',
documentation => 'Prefix to rename real session attributes',
flags => 'p',
},
idSpoofingRule => {
type => 'boolOrExpr',
default => 1,
documentation => 'IdSpoofing activation rule',
},
idSpoofingHiddenAttributes => {
type => 'text',
default => '_2fDevices _loginHistory',
documentation => 'Attributes to skip',
flags => 'p',
},
idSpoofingSkipEmptyValues => {
default => 1,
type => 'bool',
documentation => 'Skip session empty values',
flags => 'p',
},
skipRenewConfirmation => {
type => 'bool',
default => 0,
......@@ -578,30 +631,6 @@ sub attributes {
documentation => 'Enable Cross Domain Authentication',
flags => 'hp',
},
checkUser => {
default => 0,
type => 'bool',
documentation => 'Enable check user',
flags => 'p',
},
checkUserHiddenAttributes => {
type => 'text',
default => 'UA _2fDevices _loginHistory',
documentation => 'Attributes to hide in CheckUser plugin',
flags => 'p',
},
checkUserDisplayPersistentInfo => {
default => 0,
type => 'bool',
documentation => 'Display persistent session info',
flags => 'p',
},
checkUserDisplayEmptyValues => {
default => 0,
type => 'bool',
documentation => 'Display session empty values',
flags => 'p',
},
checkXSS => {
default => 1,
type => 'bool',
......@@ -1992,6 +2021,11 @@ sub attributes {
default => 600,
documentation => 'SAML timeout of relay state',
},
samlOverrideIDPEntityID => {
type => 'text',
documentation => 'Override SAML EntityID when acting as an IDP',
default => '',
},
samlUseQueryStringSpecific => {
default => 0,
type => 'bool',
......
......@@ -648,6 +648,18 @@ sub tree {
'checkUserDisplayEmptyValues',
]
},
{
title => 'spoofingIds',
help => 'idspoofing.html',
form => 'simpleInputContainer',
nodes => [
'idSpoofing',
'idSpoofingRule',
'idSpoofingPrefix',
'idSpoofingHiddenAttributes',
'idSpoofingSkipEmptyValues',
]
},
]
},
{
......@@ -997,7 +1009,8 @@ sub tree {
'samlDiscoveryProtocolPolicy',
'samlDiscoveryProtocolIsPassive'
]
}
},
'samlOverrideIDPEntityID',
]
}
]
......
......@@ -629,6 +629,18 @@ sub tests {
return 1;
},
# Warn if IdSpoofing plugin is enabled
checkIdSpoofing => sub {
return 1 unless ( $conf->{idSpoofing} );
return ( -1,
'"IdSpoofing" plugin is enabled!!!'
)
if ( $conf->{idSpoofing} );
# Return
return 1;
},
};
}
......
......@@ -151,7 +151,7 @@
"clickHereToForce":"انقر هنا لإجبار",
"checkState":"Activation",
"checkStateSecret":"Shared secret",
"checkUsers":"Session check",
"checkUsers":"Session Check",
"checkUser":"Activation",
"checkUserHiddenAttributes":"Hidden attributes",
"checkUserDisplayPersistentInfo":"Display persistent session",
......@@ -286,6 +286,12 @@
"hideTree":"إخفاء الشجرة",
"httpOnly":"الحماية بواسطة جافا سكريبت",
"https":"إتش تي تي بي س",
"spoofingIds":"Id Spoofing",
"idSpoofing":"Activation",
"idSpoofingRule":"Use rule",
"idSpoofingHiddenAttributes":"Hidden attributes",
"idSpoofingPrefix":"Real attributes prefix",
"idSpoofingSkipEmptyValues":"Skip empty values",
"incompleteForm":"الحقول المطلوبة مفقودة",
"index":"فهرس",
"infoFormMethod":"طريقة للحصول على معلومات الإستمارة",
......@@ -969,5 +975,6 @@
"samlCommonDomainCookieReader":"يو آر إل القارئ",
"samlCommonDomainCookieWriter":"يو آر إل الكاتب",
"samlRelayStateTimeout":"تناوب حالة مهلة الجلسة ",
"samlUseQueryStringSpecific":"استخدام أسلوب query_string المعين"
"samlUseQueryStringSpecific":"استخدام أسلوب query_string المعين",
"samlOverrideIDPEntityID": "Override Entity ID when acting as IDP"
}
......@@ -151,8 +151,8 @@
"clickHereToForce":"Click here to force",
"checkState":"Activation",
"checkStateSecret":"Shared secret",
"checkUsers":"Session Check",
"choiceParams":"Choice parameters",
"checkUsers":"Session check",
"checkUser":"Activation",
"checkUserHiddenAttributes":"Hidden attributes",
"checkUserDisplayPersistentInfo":"Display persistent session",
......@@ -286,6 +286,12 @@
"hideTree":"Hide tree",
"httpOnly":"Javascript protection",
"https":"HTTPS",
"spoofingIds":"Id Spoofing",
"idSpoofing":"Activation",
"idSpoofingRule":"Use rule",
"idSpoofingHiddenAttributes":"Hidden attributes",
"idSpoofingPrefix":"Real attributes prefix",
"idSpoofingSkipEmptyValues":"Skip empty values",
"incompleteForm":"Required fields are missing",
"index":"Index",
"infoFormMethod":"Method for info form",
......@@ -969,5 +975,6 @@
"samlCommonDomainCookieReader":"Reader URL",
"samlCommonDomainCookieWriter":"Writer URL",
"samlRelayStateTimeout":"RelayState session timeout",
"samlUseQueryStringSpecific":"Use specific query_string method"
"samlUseQueryStringSpecific":"Use specific query_string method",
"samlOverrideIDPEntityID": "Override Entity ID when acting as IDP"
}
......@@ -151,7 +151,7 @@
"clickHereToForce":"Click here to force",
"checkState":"Activation",
"checkStateSecret":"Shared secret",
"checkUsers":"Session check",
"checkUsers":"Session Check",
"checkUser":"Activation",
"checkUserHiddenAttributes":"Hidden attributes",
"checkUserDisplayPersistentInfo":"Display persistent session",
......@@ -286,6 +286,12 @@
"hideTree":"Hide tree",
"httpOnly":"Javascript protection",
"https":"HTTPS",
"spoofingIds":"Id Spoofing",
"idSpoofing":"Activation",
"idSpoofingRule":"Use rule",
"idSpoofingHiddenAttributes":"Hidden attributes",
"idSpoofingPrefix":"Real attributes prefix",
"idSpoofingSkipEmptyValues":"Skip empty values",
"incompleteForm":"Required fields are missing",
"index":"Index",
"infoFormMethod":"Method for info form",
......@@ -969,5 +975,6 @@
"samlCommonDomainCookieReader":"Reader URL",
"samlCommonDomainCookieWriter":"Writer URL",
"samlRelayStateTimeout":"RelayState session timeout",
"samlUseQueryStringSpecific":"Use specific query_string method"
"samlUseQueryStringSpecific":"Use specific query_string method",
"samlOverrideIDPEntityID": "Override Entity ID when acting as IDP"
}
......@@ -151,12 +151,12 @@
"clickHereToForce":"Cliquer ici pour forcer",
"checkState":"Activation",
"checkStateSecret":"Secret partagé",
"choiceParams":"Paramètres des choix",
"checkUsers":"Vérification de session",
"checkUser":"Activation",
"checkUserHiddenAttributes":"Attributs masqués",
"checkUserDisplayPersistentInfo":"Afficher les données de session persistante",
"checkUserDisplayEmptyValues":"Afficher les valeurs nulles",
"choiceParams":"Paramètres des choix",
"chooseLogo":"Choisir le logo",
"chooseSkin":"Choisir le thème",
"combination":"Combinaison",
......@@ -286,6 +286,12 @@
"hideTree":"Masquer l'arbre",
"httpOnly":"Protection contre javascript",
"https":"HTTPS",
"spoofingIds":"Usurpation d'identité",
"idSpoofing":"Activation",
"idSpoofingRule":"Règle d'utilisation",
"idSpoofingHiddenAttributes":"Attributs masqués",
"idSpoofingPrefix":"Préfix des vrais attributs",
"idSpoofingSkipEmptyValues":"Ignorer les valeurs nulles",
"incompleteForm":"Des champs requis manquent",
"index":"Index",
"infoFormMethod":"Méthode du formulaire d'information",
......@@ -969,5 +975,6 @@
"samlCommonDomainCookieReader":"URL de lecture",
"samlCommonDomainCookieWriter":"URL d'écriture",
"samlRelayStateTimeout":"Durée de vie d'une session RelayState",
"samlUseQueryStringSpecific":"Utilisation d'une fonction spécifique pour query_string"
"samlUseQueryStringSpecific":"Utilisation d'une fonction spécifique pour query_string",
"samlOverrideIDPEntityID": "Valeur de l'Entity ID en mode IDP"
}
......@@ -151,7 +151,7 @@
"clickHereToForce":"Clicca qui per forzare",
"checkState":"Attivazione",
"checkStateSecret":"Segreto condiviso",
"checkUsers":"Session check",
"checkUsers":"Session Check",
"checkUser":"Activation",
"checkUserHiddenAttributes":"Hidden attributes",
"checkUserDisplayPersistentInfo":"Display persistent session",
......@@ -286,6 +286,12 @@
"hideTree":"Nascondi l'albero",
"httpOnly":"Protezione Javascript",
"https":"HTTPS",
"spoofingIds":"Id Spoofing",
"idSpoofing":"Activation",
"idSpoofingRule":"Use rule",
"idSpoofingHiddenAttributes":"Hidden attributes",
"idSpoofingPrefix":"Real attributes prefix",
"idSpoofingSkipEmptyValues":"Skip empty values",
"incompleteForm":"Mancano campi obbligatori",
"index":"Indice",
"infoFormMethod":"Metodo per il modulo informazioni",
......@@ -969,5 +975,6 @@
"samlCommonDomainCookieReader":"URL del lettore",
"samlCommonDomainCookieWriter":"URL dell'autore",
"samlRelayStateTimeout":"Timeout di sessione di RelayState",
"samlUseQueryStringSpecific":"Utilizza il metodo specifico query_string"
"samlUseQueryStringSpecific":"Utilizza il metodo specifico query_string",
"samlOverrideIDPEntityID": "Override Entity ID when acting as IDP"
}
......@@ -151,7 +151,7 @@
"clickHereToForce":"Nhấp vào đây để bắt buộc",
"checkState":"Kích hoạt",
"checkStateSecret":"Shared secret",
"checkUsers":"Session check",
"checkUsers":"Session Check",
"checkUser":"Activation",
"checkUserHiddenAttributes":"Hidden attributes",
"checkUserDisplayPersistentInfo":"Display persistent session",
......@@ -286,6 +286,12 @@
"hideTree":"Ẩn cây",
"httpOnly":"Bảo vệ Javascript",
"https":"HTTPS",
"spoofingIds":"Id Spoofing",
"idSpoofing":"Activation",
"idSpoofingRule":"Use rule",
"idSpoofingHiddenAttributes":"Hidden attributes",
"idSpoofingPrefix":"Real attributes prefix",
"idSpoofingSkipEmptyValues":"Skip empty values",
"incompleteForm":"Các trường bắt buộc bị thiếu",
"index":"Chỉ mục",
"infoFormMethod":"Phương pháp cho mẫu thông tin",
......@@ -969,5 +975,6 @@
"samlCommonDomainCookieReader":"Trình đọc URL",
"samlCommonDomainCookieWriter":"Trình viết URL",
"samlRelayStateTimeout":"Thời gian hết hạn phiên RelayState ",
"samlUseQueryStringSpecific":"Sử dụng phương pháp query_string cụ thể"
"samlUseQueryStringSpecific":"Sử dụng phương pháp query_string cụ thể",
"samlOverrideIDPEntityID": "Override Entity ID when acting as IDP"
}
......@@ -151,7 +151,7 @@
"clickHereToForce":"Click here to force",
"checkState":"Activation",
"checkStateSecret":"Shared secret",
"checkUsers":"Session check",
"checkUsers":"Session Check",
"checkUser":"Activation",
"checkUserHiddenAttributes":"Hidden attributes",
"checkUserDisplayPersistentInfo":"Display persistent session",
......@@ -286,6 +286,12 @@
"hideTree":"Hide tree",
"httpOnly":"Javascript protection",
"https":"HTTPS",
"spoofingIds":"Id Spoofing",
"idSpoofing":"Activation",
"idSpoofingRule":"Use rule",
"idSpoofingHiddenAttributes":"Hidden attributes",
"idSpoofingPrefix":"Real attributes prefix",
"idSpoofingSkipEmptyValues":"Skip empty values",
"incompleteForm":"Required fields are missing",
"index":"Index",
"infoFormMethod":"Method for info form",
......@@ -969,5 +975,6 @@
"samlCommonDomainCookieReader":"Reader URL",
"samlCommonDomainCookieWriter":"Writer URL",
"samlRelayStateTimeout":"RelayState session timeout",
"samlUseQueryStringSpecific":"Use specific query_string method"
"samlUseQueryStringSpecific":"Use specific query_string method",
"samlOverrideIDPEntityID": "Override Entity ID when acting as IDP"
}
This source diff could not be displayed because it is too large. You can view the blob instead.
......@@ -100,9 +100,11 @@ lib/Lemonldap/NG/Portal/Plugins/AutoSignin.pm
lib/Lemonldap/NG/Portal/Plugins/BruteForceProtection.pm
lib/Lemonldap/NG/Portal/Plugins/CDA.pm
lib/Lemonldap/NG/Portal/Plugins/CheckState.pm
lib/Lemonldap/NG/Portal/Plugins/CheckUser.pm
lib/Lemonldap/NG/Portal/Plugins/ForceAuthn.pm
lib/Lemonldap/NG/Portal/Plugins/GrantSession.pm
lib/Lemonldap/NG/Portal/Plugins/History.pm
lib/Lemonldap/NG/Portal/Plugins/IdSpoofing.pm
lib/Lemonldap/NG/Portal/Plugins/MailPasswordReset.pm
lib/Lemonldap/NG/Portal/Plugins/Notifications.pm
lib/Lemonldap/NG/Portal/Plugins/PublicPages.pm
......@@ -323,6 +325,7 @@ site/templates/bootstrap/2fchoice.tpl
site/templates/bootstrap/2fregisters.tpl
site/templates/bootstrap/casBack2Url.tpl
site/templates/bootstrap/checklogins.tpl
site/templates/bootstrap/checkuser.tpl
site/templates/bootstrap/confirm.tpl
site/templates/bootstrap/customfooter.tpl
site/templates/bootstrap/customhead.tpl
......@@ -499,6 +502,8 @@ t/66-CDA-already-auth.t
t/66-CDA-with-REST.t
t/66-CDA-with-SOAP.t
t/66-CDA.t
t/67-CheckUser-with-token.t
t/67-CheckUser.t
t/70-2F-TOTP-with-History.t
t/70-2F-TOTP.t
t/70-2F-TOTP_8.t
......
......@@ -91,6 +91,11 @@ qr/^($saml_sso_get_url|$saml_sso_get_url_ret|$saml_sso_post_url|$saml_sso_post_u
);
return 0 unless ($res);
if ( $self->conf->{samlOverrideIDPEntityID} ) {
$self->lassoServer->ProviderID(
$self->conf->{samlOverrideIDPEntityID} );
}
# Single logout routes
$self->addUnauthRouteFromMetaDataURL(
"samlIDPSSODescriptorSingleLogoutServiceSOAP",
......
......@@ -564,7 +564,7 @@ sub checkIDTokenValidity {
$self->logger->error("Auth time was not returned by OP $op");
return 0;
}
if ( $auth_time + $max_age > time ) {
if ( time > $auth_time + $max_age ) {
$self->userLogger->error(
"Authentication time ($auth_time) is too old (Max age: $max_age)"
);
......
......@@ -184,7 +184,7 @@ sub loadService {
# Create Lasso server with service metadata
my $server = $self->createServer(
$service_metadata->serviceToXML( $self->conf ),
$service_metadata->serviceToXML( $self->conf, ''),
$self->conf->{samlServicePrivateKeySig},
$self->conf->{samlServicePrivateKeySigPwd},
......@@ -3072,7 +3072,7 @@ sub importRealSession {
sub metadata {
my ( $self, $req ) = @_;
my $type = $req->param('type');
my $type = $req->param('type') || 'all';
require Lemonldap::NG::Common::Conf::SAML::Metadata;
if ( my $metadata = Lemonldap::NG::Common::Conf::SAML::Metadata->new() ) {
my $s = $metadata->serviceToXML( $self->conf, $type);
......
......@@ -3,7 +3,7 @@ package Lemonldap::NG::Portal::Main::Constants;
use strict;
use Exporter 'import';
our $VERSION = '2.0.2';
our $VERSION = '2.0.3';
use constant HANDLER => 'Lemonldap::NG::Handler::PSGI::Main';
use constant {
......@@ -98,7 +98,7 @@ use constant {
PE_OIDC_SERVICE_NOT_ALLOWED => 90,
PE_OID_SERVICE_NOT_ALLOWED => 91,
PE_GET_SERVICE_NOT_ALLOWED => 92,
PE_IDSPOOFING_SERVICE_NOT_ALLOWED => 93,
};
# EXPORTER PARAMETERS
......@@ -126,7 +126,7 @@ our @EXPORT_OK = qw( PE_SENDRESPONSE PE_INFO PE_REDIRECT PE_DONE PE_OK
PE_REGISTERALREADYEXISTS PE_NOTOKEN PE_TOKENEXPIRED HANDLER PE_U2FFAILED
PE_UNAUTHORIZEDPARTNER PE_RENEWSESSION PE_IDPCHOICE PE_WAIT PE_MUSTAUTHN
PE_MUSTHAVEMAIL PE_SAML_SERVICE_NOT_ALLOWED PE_OIDC_SERVICE_NOT_ALLOWED
PE_OID_SERVICE_NOT_ALLOWED PE_GET_SERVICE_NOT_ALLOWED
PE_OID_SERVICE_NOT_ALLOWED PE_GET_SERVICE_NOT_ALLOWED PE_IDSPOOFING_SERVICE_NOT_ALLOWED
);
our %EXPORT_TAGS = ( 'all' => [ @EXPORT_OK, 'import' ], );
......
......@@ -291,6 +291,7 @@ sub display {
REGISTER_URL => $self->conf->{registerUrl},
HIDDEN_INPUTS => $self->buildHiddenForm($req),
STAYCONNECTED => $self->conf->{stayConnected},
SPOOFID => $self->conf->{idSpoofing},
(
$req->data->{customScript}
? ( CUSTOM_SCRIPT => $req->data->{customScript} )
......
......@@ -5,8 +5,9 @@ package Lemonldap::NG::Portal::Main::Plugin;
use strict;
use Mouse;
use HTML::Template;
use Data::Dumper;
our $VERSION = '2.0.2';
our $VERSION = '2.0.3';
extends 'Lemonldap::NG::Common::Module';
......@@ -56,6 +57,21 @@ sub loadTemplate {
return $self->p->loadTemplate(@_);
}
sub accessCtrl {
my ( $self, $req, $uri ) = @_;
my $url = $self->conf->{portal} . $uri;
$self->logger->debug("Plugin calls accessCtrl for URL: $url");
# Check access rule
my ( $vhost, $appuri ) = $url =~ m#^https?://([^/]*)(.*)#;
$vhost =~ s/:\d+$//;
$appuri ||= '/';
$self->logger->debug(
"grant function call with VH: $vhost and URI: $appuri");
return $self->p->HANDLER->grant( $req, $req->{userData}, $appuri,
undef, $vhost );
}
1;
__END__
......
......@@ -26,6 +26,7 @@ our @pList = (
checkState => '::Plugins::CheckState',
portalForceAuthn => '::Plugins::ForceAuthn',
checkUser => '::Plugins::CheckUser',
idSpoofing => '::Plugins::IdSpoofing',
);
##@method list enabledPlugins
......
......@@ -44,6 +44,15 @@ sub check {
my ( $attrs, $array_attrs, $array_hdrs ) = ( {}, [], [] );
my $msg = my $auth = '';
# Check access rule
unless ( $self->accessCtrl( $req, 'checkuser' ) ) {
$self->userLogger->error(
"user $req->{user} not allowed to access /checkuser");
return $self->p->lmError( $req, 403 );
}
$self->userLogger->notice(
"user $req->{user} is allowed to access /checkuser");
# Check token
if ( $self->conf->{requireToken} ) {
my $token = $req->param('token');
......@@ -53,7 +62,7 @@ sub check {
$token = $self->ott->createToken( $req->sessionInfo );
}
unless ( $self->ott->getToken($token) ) {
$self->userLogger->warn('Ask try with expired/bad token');
$self->userLogger->warn('Checkuser try with expired/bad token');
$msg = PE_TOKENEXPIRED;
$token = $self->ott->createToken( $req->sessionInfo );
}
......@@ -79,25 +88,32 @@ sub check {
$attrs = $self->_userDatas($req);
if ( $req->error ) {
$msg = 'PE' . $req->{error};
$attrs = {};
$array_attrs = [ [], [], [] ];
}
else {
$msg = 'checkUser';
# Create an array of hashes for template loop
$self->logger->debug("Delete hidden or empty attributes");
if ( $self->conf->{checkUserDisplayEmptyValues} ) {
foreach my $k ( sort keys %$attrs ) {
# Ignore hidden attributes or empty values
if ( $self->conf->{checkUserDisplayEmptyValues} ) {
# Ignore hidden attributes
push @$array_attrs, { key => $k, value => $attrs->{$k} }
unless ( $self->hAttr =~ /\b$k\b/ );
}
}
else {
foreach my $k ( sort keys %$attrs ) {
# Ignore hidden attributes and empty values
push @$array_attrs, { key => $k, value => $attrs->{$k} }
unless ( $self->hAttr =~ /\b$k\b/ or !$attrs->{$k} );
}
}
$msg = 'checkUser';
# ARRAY_REF = [ A_REF GROUPS, A_REF MACROS, A_REF OTHERS ]
$array_attrs = $self->_splitAttributes($array_attrs);
}
# Check if user is allowed to access submitted URL and compute headers
......@@ -115,7 +131,6 @@ sub check {
# Return VirtualHost headers
$array_hdrs = $self->_headers( $req, $url );
}
my $token = $self->ott->createToken( $req->sessionInfo );
# Display form
return $self->p->sendHtml(
......@@ -140,15 +155,29 @@ sub check {
ALERTE_AUTH =>
( $auth eq 'allowed' ? 'alert-success' : 'alert-danger' ),
HEADERS => $array_hdrs,
ATTRIBUTES => $array_attrs,
TOKEN => $token,
ATTRIBUTES => $array_attrs->[2],
MACROS => $array_attrs->[1],
GROUPS => $array_attrs->[0],
TOKEN => (
$self->conf->{requireToken}
? $self->ott->createToken( $req->sessionInfo )
: ''
)
}
);
}
sub display {
my ( $self, $req ) = @_;
my $token = $self->ott->createToken( $req->sessionInfo );
# Check access rule
unless ( $self->accessCtrl( $req, 'checkuser' ) ) {
$self->userLogger->error(
"user $req->{user} not allowed to access /checkuser");
return $self->p->lmError( $req, 403 );
}
$self->userLogger->notice(
"user $req->{user} is allowed to access /checkuser");
# Display form
return $self->p->sendHtml(
......@@ -165,7 +194,11 @@ sub display {
? ""
: $req->{user}
),
TOKEN => $token,
TOKEN => (
$self->conf->{requireToken}
? $self->ott->createToken( $req->sessionInfo )
: ''
)
}
);
}
......@@ -193,11 +226,8 @@ sub _userDatas {
sub _authorization {
my ( $self, $req, $uri ) = @_;
# Check rights
my ( $vhost, $appuri ) = $uri =~ m#^https?://([^/]*)(.*)#;
$vhost =~ s/:\d+$//;
$vhost = $self->p->HANDLER->resolveAlias($vhost);
$appuri ||= '/';
return $self->p->HANDLER->grant( $req, $req->{sessionInfo}, $appuri,
undef, $vhost );
......@@ -212,4 +242,31 @@ sub _headers {
return $self->p->HANDLER->checkHeaders( $req, $req->{sessionInfo} );
}
sub _splitAttributes {
my ( $self, $attrs ) = @_;
my ( $grps, $mcrs, $others ) = ( [], [], [] );
my $macros = $self->{conf}->{macros};
$self->logger->debug("Dispatching attributes...");
while (@$attrs) {
my $element = shift @$attrs;
my $ok = 0;
if ( $element->{key} eq 'groups' ) {
$self->logger->debug('Key "groups" found');
my $separator = $self->{conf}->{multiValuesSeparator};
my @tmp = split /\Q$separator/, $element->{value};
$grps = [ map { { value => $_ } } sort @tmp ];
next;
}
foreach my $key ( sort keys %$macros ) {
if ( $element->{key} eq $key ) {
push @$mcrs, $element;
$ok = 1;
last;
}
}
push @$others, $element unless $ok;
}
return [ $grps, $mcrs, $others ];
}
1;
package Lemonldap::NG::Portal::Plugins::IdSpoofing;
use strict;
use Mouse;
use Lemonldap::NG::Portal::Main::Constants
qw( PE_OK PE_BADCREDENTIALS PE_IDSPOOFING_SERVICE_NOT_ALLOWED );
our $VERSION = '2.0.3';
extends 'Lemonldap::NG::Portal::Main::Plugin';
# INITIALIZATION
use constant endAuth => 'run';
has rule => ( is => 'rw', default => sub {1} );
sub hAttr {
$_[0]->{conf}->{idSpoofingHiddenAttributes} . ' '
. $_[0]->{conf}->{hiddenAttributes};
}
sub init {
my ($self) = @_;
# Parse activation rule
my $hd = $self->p->HANDLER;
$self->logger->debug(
"IdSpoofing rule -> " . $self->conf->{idSpoofingRule} );
my $rule
= $hd->buildSub( $hd->substitute( $self->conf->{idSpoofingRule} ) );
unless ($rule) {
$self->error( "Bad IdSpoofing rule -> " . $hd->tsv->{jail}->error );
return 0;
}
$self->{rule} = $rule;
return 1;
}
# RUNNING METHOD
sub run {
my ( $self, $req ) = @_;
my $spoofId = $req->param('spoofId') || '';
# Skip if no submitted SpoofId
return PE_OK unless $spoofId;
# Check activation rule
unless ( $self->rule->( $req, $req->sessionInfo ) ) {
$self->userLogger->error('IdSpoofing service not authorized');
return PE_IDSPOOFING_SERVICE_NOT_ALLOWED;
}
# Fill spoof session
my ( $realSession, $spoofSession ) = ( {}, {} );
$self->logger->debug("Spoofing Id: $spoofId...");
my $spk = '';
foreach my $k ( keys %{ $req->{sessionInfo} } ) {
if ( $self->{conf}->{idSpoofingSkipEmptyValues} ) {
next unless defined $req->{sessionInfo}->{$k};
}
$spk = "$self->{conf}->{idSpoofingPrefix}$k";
unless ( $self->hAttr =~ /\b$k\b/ ) {
$realSession->{$spk} = $req->{sessionInfo}->{$k};
$self->logger->debug("-> Store $k in realSession key: $spk");
}
}
$req->{user} = $spoofId;
$spoofSession = $self->_userDatas($req);
$spoofSession = { %$spoofSession, %$realSession };
# Main session
#$self->p->updatePersistentSession( $req, $spoofSession ); #?????
$self->p->updateSession( $req, $spoofSession );
return PE_OK;
}
sub _userDatas {
my ( $self, $req ) = @_;
$req->{sessionInfo} = {};
# Search user in database
$req->steps(
[ 'getUser', 'setSessionInfo',
'setMacros', 'setGroups',
#'setPersistentSessionInfo', 'setLocalGroups'
'setLocalGroups'
]
);
if ( my $error = $self->p->process($req) ) {
if ( $error == PE_BADCREDENTIALS ) {
$self->userLogger->warn(
'IdSpoofing requested for an unvalid user ('
. $req->{user}
. ")" );
}
$self->logger->debug("Process returned error: $error");
return $req->error($error);
}
$self->logger->debug("Populating spoofed session...");
return $req->{sessionInfo};
}
1;
......@@ -92,6 +92,7 @@
"PE90":"Access non granted on OIDC service",
"PE91":"Access non granted on OID service",
"PE92":"Access non granted on GET service",
"PE93":"Access non granted on IdSpoofing service",
"2fRegRequired":"This service requires a double factor authentication. Register a device now, then go back to the portal.",
"accept":"قبول",
"accessDenied":"ليس لديك إذن بالدخول لهذا التطبيق",
......@@ -146,6 +147,7 @@
"gotNewMessages":"لديك بعض الرسائل الجديدة",
"goToPortal":"انتقل إلى البوابة",
"gplSoft":"البرمجيات الحرة التي تغطيها رخصة GPL",
"groups_sso":"SSO GROUPS",
"headers":"HEADERS",
"id":"Id",
"imSure":"انا متاكد",
......@@ -162,6 +164,7 @@
"logoutConfirm":"هل تريد تسجيل الخروج؟",
"logoutFromOtherApp":"Logout from other applications ...",
"logoutFromSP":"Logout from service providers ...",
"macros":"MACROS",
"mail":"البريد",
"mailSent2":"تم إرسال رسالة إلى عنوان بريدك الإلكتروني.",
"maintenanceMode":"هذا التطبيق في صيانة، يرجى محاولة الاتصال في وقت لاحق",
......@@ -216,6 +219,7 @@
"serviceProvidedBy":"الخدمة المقدمة من قبل",
"sessionsDeleted":"الجلسات التالية تم غلقها",
"sfaManager":"2ndFA Manager",
"spoofId":"Spoofed Id",
"SSOSessionInactive":"جلسة الدخول الموحد غير نشطة",
"stayConnected":"ابق على اتصال على هذا الجهاز",
"submit":"قدم",
......
......@@ -92,6 +92,7 @@
"PE90":"Access non granted on OIDC service",
"PE91":"Access non granted on OID service",
"PE92":"Access non granted on GET service",
"PE93":"Access non granted on IdSpoofing service",
"2fRegRequired":"Dieser Dienst benötigt Zwei-Faktor-Authentifizierung. Bitte legen Sie ein Gerät an und gehen dann zum Portal zurück.",
"accept":"Akzeptieren",
"accessDenied":"Sie haben keine Zugriffsberechtigung für diese Anwendung",
......@@ -146,6 +147,7 @@
"gotNewMessages":"Du hast neue Nachrichten",
"goToPortal":"Zum Portal",
"gplSoft":"Freie Software, die von der GPL-Lizenz abgedeckt wird",
"groups_sso":"SSO GROUPS",
"headers":"HEADERS",
"id":"ID",
"imSure":"Ich bin sicher",
......@@ -162,6 +164,7 @@
"logoutConfirm":"Willst du dich abmelden ?",
"logoutFromOtherApp":"Von anderen Anwendungen abmelden ...",
"logoutFromSP":"Von Dienstanbietern abmelden ...",
"macros":"MACROS",
"mail":"E-Mail",
"mailSent2":"Eine Nachricht wurde an deine E-Mail Adresse gesendet.",
"maintenanceMode":"Diese Anwendung ist in Wartung, bitte versuche später eine Verbindung herzustellen",
......@@ -216,6 +219,7 @@
"serviceProvidedBy":"Dienst angeboten von",
"sessionsDeleted":"Die folgenden Sitzungen wurden geschlossen",
"sfaManager":"2ndFA Manager",
"spoofId":"Spoofed Id",
"SSOSessionInactive":"SSO Sitzung inaktiv",
"stayConnected":"Auf diesem Gerät verbunden bleiben",
"submit":"Absenden",
......
......@@ -92,6 +92,7 @@
"PE90":"Access non granted on OIDC service",
"PE91":"Access non granted on OID service",
"PE92":"Access non granted on GET service",
"PE93":"Access non granted on IdSpoofing service",
"2fRegRequired":"This service requires a double factor authentication. Register a device now, then go back to the portal.",
"accept":"Accept",
"accessDenied":"You have no access authorization for this application",
......@@ -146,6 +147,7 @@
"gotNewMessages":"You have some new messages",
"goToPortal":"Go to portal",
"gplSoft":"free software covered by the GPL license",
"groups_sso":"SSO GROUPS",
"headers":"HEADERS",
"id":"Id",
"imSure":"I'm sure",
......@@ -162,6 +164,7 @@
"logoutConfirm":"Do you want to logout?",
"logoutFromOtherApp":"Logout from other applications ...",
"logoutFromSP":"Logout from service providers ...",
"macros":"MACROS",
"mail":"Mail",
"mailSent2":"A message has been sent to your mail address.",
"maintenanceMode":"This application is in maintenance, please try to connect later",
......@@ -216,6 +219,7 @@
"serviceProvidedBy":"Service provided by",
"sessionsDeleted":"The following sessions have been closed",
"sfaManager":"2ndFA Manager",
"spoofId":"Spoofed Id",
"SSOSessionInactive":"SSO session inactive",
"stayConnected": "Stay connected on this device",
"submit":"Submit",
......
......@@ -92,6 +92,7 @@
"PE90":"Access non granted on OIDC service",
"PE91":"Access non granted on OID service",
"PE92":"Access non granted on GET service",
"PE93":"Access non granted on IdSpoofing service",
"2fRegRequired":"This service requires a double factor authentication. Register a device now, then go back to the portal.",
"accept":"Accept",
"accessDenied":"You have no access authorization for this application",
......@@ -146,6 +147,7 @@
"gotNewMessages":"You have some new messages",
"goToPortal":"Go to portal",
"gplSoft":"free software covered by the GPL license",
"groups_sso":"SSO GROUPS",
"headers":"HEADERS",
"id":"Id",
"imSure":"I'm sure",
......@@ -162,6 +164,7 @@
"logoutConfirm":"Do you want to logout?",
"logoutFromOtherApp":"Logout from other applications ...",
"logoutFromSP":"Logout from service providers ...",
"macros":"MACROS",
"mail":"Mail",
"mailSent2":"A message has been sent to your mail address.",
"maintenanceMode":"This application is in maintenance, please try to connect later",
......@@ -216,6 +219,7 @@
"serviceProvidedBy":"Service provided by",
"sessionsDeleted":"The following sessions have been closed",
"sfaManager":"2ndFA Manager",
"spoofId":"Spoofed Id",
"SSOSessionInactive":"SSO session inactive",
"stayConnected":"Stay connected on this device",
"submit":"Submit",
......
......@@ -92,6 +92,7 @@
"PE90":"Accès non autorisé au service OIDC",
"PE91":"Accès non autorisé au service OID",
"PE92":"Accès non autorisé au service GET",
"PE93":"Accès non autorisé au service IdSpoofing",
"2fRegRequired":"Ce service requiert une authentification à deux facteurs. Enregistrez un équipement ici et retournez au portail.",
"accept":"Accepter",
"accessDenied":"Vous n'avez pas les droits d'accès à cette application",
......@@ -146,6 +147,7 @@
"gotNewMessages":"Vous avez de nouveaux messages",
"goToPortal":"Aller au portail",
"gplSoft":"logiciel libre protégé par la licence GPL",
"groups_sso":"GROUPES SSO",
"headers":"ENTETES",
"id":"Id",
"imSure":"Je suis sûr",
......@@ -162,6 +164,7 @@
"logoutConfirm":"Souhaitez-vous vous déconnecter ?",
"logoutFromOtherApp":"Déconnexion des autres applications ...",
"logoutFromSP":"Déconnexion des services ...",
"macros":"MACROS",
"mail":"Adresse mail",
"mailSent2":"Un message a été envoyé à votre adresse mail.",
"maintenanceMode":"Cette application est en maintenance, merci de réessayer plus tard",
......@@ -216,6 +219,7 @@
"serviceProvidedBy":"Ce service est fourni par",
"sessionsDeleted":"Les sessions suivantes ont été fermées",
"sfaManager":"Gestionnaire 2ndFA",
"spoofId":"Identifiant usurpé",
"SSOSessionInactive":"Session SSO inactive",
"stayConnected": "Rester connecté sur cet appareil",
"submit":"Envoyer",
......
......@@ -92,6 +92,7 @@
"PE90":"Access non granted on OIDC service",
"PE91":"Access non granted on OID service",
"PE92":"Access non granted on GET service",
"PE93":"Access non granted on IdSpoofing service",
"2fRegRequired":"Questo servizio richiede un'autenticazione a doppio fattore. Registrare un dispositivo ora, quindi tornare al portale.",
"accept":"Accetta",
"accessDenied":"Non hai un'autorizzazione di accesso per questa applicazione",
......@@ -146,6 +147,7 @@
"gotNewMessages":"Hai dei nuovi messaggi",
"goToPortal":"Vai al portale",
"gplSoft":"Software libero coperto dalla licenza GPL",
"groups_sso":"SSO GROUPS",
"headers":"HEADERS",
"id":"Id",
"imSure":"Sono sicuro",
......@@ -162,6 +164,7 @@
"logoutConfirm":"Vuoi uscire?",
"logoutFromOtherApp":"Disconnetti da altre applicazioni ...",
"logoutFromSP":"Disconnessione dai fornitori di servizi ...",
"macros":"MACROS",
"mail":"Mail",
"mailSent2":"Vi é stato inviato un messaggio via mail",
"maintenanceMode":"Questa applicazione è in manutenzione, prova a connetterti più tardi",
......@@ -216,6 +219,7 @@
"serviceProvidedBy":"Servizio offerto da",
"sessionsDeleted":"Le sessioni seguenti sono state chiuse",
"sfaManager":"2ndFA Manager",
"spoofId":"Spoofed Id",
"SSOSessionInactive":"Sessione SSO inattiva",
"stayConnected":"Resta connesso su questo dispositivo",
"submit":"Invia",
......
......@@ -92,6 +92,7 @@
"PE90":"Access non granted on OIDC service",
"PE91":"Access non granted on OID service",
"PE92":"Access non granted on GET service",
"PE93":"Access non granted on IdSpoofing service",
"2fRegRequired":"This service requires a double factor authentication. Register a device now, then go back to the portal.",
"accept":"Accept",
"accessDenied":"You have no access authorization for this application",
......@@ -146,6 +147,7 @@
"gotNewMessages":"You have some new messages",
"goToPortal":"Go to portal",
"gplSoft":"free software covered by the GPL license",
"groups_sso":"SSO GROUPS",
"headers":"HEADERS",
"id":"Id",
"imSure":"I'm sure",
......@@ -162,6 +164,7 @@
"logoutConfirm":"Do you want to logout?",
"logoutFromOtherApp":"Logout from other applications ...",
"logoutFromSP":"Logout from service providers ...",
"macros":"MACROS",
"mail":"Mail",
"mailSent2":"A message has been sent to your mail address.",
"maintenanceMode":"This application is in maintenance, please try to connect later",
......@@ -216,6 +219,7 @@
"serviceProvidedBy":"Service provided by",
"sessionsDeleted":"The following sessions have been closed",
"sfaManager":"2ndFA Manager",
"spoofId":"Spoofed Id",
"SSOSessionInactive":"SSO session inactive",
"stayConnected":"Stay connected on this device",
"submit":"Submit",
......
......@@ -92,6 +92,7 @@
"PE90":"Access non granted on OIDC service",
"PE91":"Access non granted on OID service",
"PE92":"Access non granted on GET service",
"PE93":"Access non granted on IdSpoofing service",
"2fRegRequired":"This service requires a double factor authentication. Register a device now, then go back to the portal.",
"accept":"Accept",
"accessDenied":"You have no access authorization for this application",
......@@ -146,6 +147,7 @@
"gotNewMessages":"You have some new messages",
"goToPortal":"Go to portal",
"gplSoft":"free software covered by the GPL license",
"groups_sso":"SSO GROUPS",
"headers":"HEADERS",
"id":"Id",
"imSure":"I'm sure",
......@@ -162,6 +164,7 @@
"logoutConfirm":"Do you want to logout?",
"logoutFromOtherApp":"Logout from other applications ...",
"logoutFromSP":"Logout from service providers ...",
"macros":"MACROS",
"mail":"Mail",
"mailSent2":"A message has been sent to your mail address.",
"maintenanceMode":"This application is in maintenance, please try to connect later",
......@@ -216,6 +219,7 @@
"serviceProvidedBy":"Service provided by",
"sessionsDeleted":"The following sessions have been closed",
"sfaManager":"2ndFA Manager",
"spoofId":"Spoofed Id",
"SSOSessionInactive":"SSO session inactive",
"stayConnected":"Stay connected on this device",
"submit":"Submit",
......
......@@ -92,6 +92,7 @@
"PE90":"Access non granted on OIDC service",
"PE91":"Access non granted on OID service",
"PE92":"Access non granted on GET service",
"PE93":"Access non granted on IdSpoofing service",
"2fRegRequired":"This service requires a double factor authentication. Register a device now, then go back to the portal.",
"accept":"Accept",
"accessDenied":"You have no access authorization for this application",
......@@ -146,6 +147,7 @@
"gotNewMessages":"You have some new messages",
"goToPortal":"Go to portal",
"gplSoft":"free software covered by the GPL license",
"groups_sso":"SSO GROUPS",
"headers":"HEADERS",
"id":"Id",
"imSure":"I'm sure",
......@@ -162,6 +164,7 @@
"logoutConfirm":"Do you want to logout?",
"logoutFromOtherApp":"Logout from other applications ...",
"logoutFromSP":"Logout from service providers ...",
"macros":"MACROS",
"mail":"Mail",
"mailSent2":"A message has been sent to your mail address.",
"maintenanceMode":"This application is in maintenance, please try to connect later",
......@@ -216,6 +219,7 @@
"serviceProvidedBy":"Service provided by",
"sessionsDeleted":"The following sessions have been closed",
"sfaManager":"2ndFA Manager",
"spoofId":"Spoofed Id",
"SSOSessionInactive":"SSO session inactive",
"stayConnected":"Stay connected on this device",
"submit":"Submit",
......
......@@ -92,6 +92,7 @@
"PE90":"Access non granted on OIDC service",
"PE91":"Access non granted on OID service",
"PE92":"Access non granted on GET service",
"PE93":"Access non granted on IdSpoofing service",
"2fRegRequired":"This service requires a double factor authentication. Register a device now, then go back to the portal.",
"accept":"Chấp nhận",
"accessDenied":"Bạn không có quyền truy cập vào ứng dụng này",
......@@ -146,6 +147,7 @@
"gotNewMessages":"Bạn có một số tin nhắn mới",
"goToPortal":"Đi tới cổng thông tin",
"gplSoft":"phần mềm tự do được cấp phép bởi GPL",
"groups_sso":"SSO GROUPS",
"headers":"HEADERS",
"id":"Id",
"imSure":"Tôi chắc chắn",
......@@ -162,6 +164,7 @@
"logoutConfirm":"Bạn có muốn đăng xuất?",
"logoutFromOtherApp":"Đăng xuất khỏi các ứng dụng khác ...",
"logoutFromSP":"Logout from service providers ...",
"macros":"MACROS",
"mail":"Thư",
"mailSent2":"Một tin nhắn đã được gửi đến địa chỉ thư của bạn.",
"maintenanceMode":"Ứng dụng này đang trong quá trình bảo trì, hãy thử kết nối sau",
......@@ -216,6 +219,7 @@
"serviceProvidedBy":"Dịch vụ được cung cấp bởi",
"sessionsDeleted":"Các phiên làm việc sau đã được đóng lại",
"sfaManager":"2ndFA Manager",
"spoofId":"Spoofed Id",
"SSOSessionInactive":"Phiên SSO không hoạt động",
"stayConnected":"Giữ kết nối trên thiết bị này",
"submit":"Gửi",
......
......@@ -88,11 +88,12 @@
"PE86":"Your account is locked. You must wait 30s before authenticate again",
"PE87":"You must authenticate again to access to Portal",
"PE88":"Your account must have an e-mail address in order to use double factor authentication",
"2fRegRequired":"This service requires a double factor authentication. Register a device now, then go back to the portal.",
"PE89":"Access non granted on SAML service",
"PE90":"Access non granted on OIDC service",
"PE91":"Access non granted on OID service",
"PE92":"Access non granted on GET service",
"PE93":"Access non granted on IdSpoofing service",
"2fRegRequired":"This service requires a double factor authentication. Register a device now, then go back to the portal.",
"accept":"Accept 方法",
"accessDenied":"您无权访问此应用",
"accountCreated":"您的账号已创建,临时密码已发送至您的邮箱",
......@@ -146,6 +147,7 @@
"gotNewMessages":"您有一些新消息",
"goToPortal":"回到首页",
"gplSoft":"free software covered by the GPL license",
"groups_sso":"SSO GROUPS",
"headers":"HEADERS",
"id":"Id",
"imSure":"我确认",
......@@ -162,6 +164,7 @@
"logoutConfirm":"您想注销登录吗?",
"logoutFromOtherApp":"Logout from other applications ...",
"logoutFromSP":"Logout from service providers ...",
"macros":"MACROS",
"mail":"邮件",
"mailSent2":"已经发送一封邮件到您的邮箱",
"maintenanceMode":"This application is in maintenance, please try to connect later",
......@@ -216,6 +219,7 @@
"serviceProvidedBy":"Service provided by",
"sessionsDeleted":"The following sessions have been closed",
"sfaManager":"2ndFA Manager",
"spoofId":"Spoofed Id",
"SSOSessionInactive":"SSO session inactive",
"stayConnected":"Stay connected on this device",
"submit":"提交",
......
......@@ -59,8 +59,53 @@
</div>
</TMPL_IF>
<div class="container">
<div class="row">
<TMPL_IF NAME="GROUPS">
<div class="card col-md-4 border-secondary">
<div class="card-body table-responsive">
<table class="table table-hover">
<thead>
<tr class="align-middle"><span trspan="groups_sso">GROUPS SSO</span></tr>
</thead>
<tbody>
<TMPL_LOOP NAME="GROUPS">
<tr>
<td class="align-middle"><TMPL_VAR NAME="value"></td>
</tr>
</TMPL_LOOP>
</tbody>
</table>
</div>
</div>
</TMPL_IF>
<TMPL_IF NAME="MACROS">
<div class="card col-md-4 border-secondary">
<div class="card-body table-responsive">
<table class="table table-hover">
<thead>
<tr class="align-middle"><span trspan="macros">MACROS</span></tr>
<tr>
<th class="align-middle"><span trspan="key">Key</span></th>
<th class="align-middle"><span trspan="value">Value</span></th>
</tr>
</thead>
<tbody>
<TMPL_LOOP NAME="MACROS">
<tr>
<td class="align-middle"><TMPL_VAR NAME="key"></td>
<td class="align-middle"><TMPL_VAR NAME="value"></td>
</tr>
</TMPL_LOOP>
</tbody>
</table>
</div>
</div>
</TMPL_IF>
<TMPL_IF NAME="ATTRIBUTES">
<div class="card mb-3 border-secondary">
<div class="card col-md-4 border-secondary">
<div class="card-body table-responsive">
<table class="table table-hover">
<thead>
......@@ -82,6 +127,8 @@
</div>
</div>
</TMPL_IF>
</div>
</div>
<div class="buttons">
<button type="submit" class="btn btn-success">
......
......@@ -13,6 +13,15 @@
<input name="password" type="password" class="form-control" trplaceholder="password" required aria-required="true"/>
</div>
<TMPL_IF NAME="SPOOFID">
<div class="input-group mb-3">
<div class="input-group-prepend">
<span class="input-group-text"><i class="fa fa-user"></i> </span>
</div>
<input name="spoofId" type="text" class="form-control" trplaceholder="spoofId" aria-required="false"/>
</div>
</TMPL_IF>
<TMPL_IF NAME=CAPTCHA_SRC>
<div class="form-group">
<img src="<TMPL_VAR NAME=CAPTCHA_SRC>" class="img-thumbnail" />
......