Commit 8d6899c2 authored by Clément OUDOT's avatar Clément OUDOT

Configuration keys for authentication levels (#152)

parent 093019d6
......@@ -298,6 +298,8 @@ sub struct {
openid => ['openIdParams'],
twitter => ['twitterParams'],
dbi => ['dbiParams'],
apache => ['apacheParams'],
null => ['nullParams'],
}->{$mod};
if ($tmp) {
$res{$_}++ foreach (@$tmp);
......@@ -355,10 +357,12 @@ sub struct {
# LDAP
ldapParams => {
_nodes => [
qw(n:ldapConnection n:ldapFilters n:ldapGroups n:ldapPassword)
qw(ldapAuthnLevel n:ldapConnection n:ldapFilters n:ldapGroups n:ldapPassword)
],
_help => 'ldap',
ldapAuthnLevel => 'int:/ldapAuthnLevel',
ldapConnection => {
_nodes => [
qw(ldapServer ldapPort ldapBase managerDn managerPassword ldapTimeout ldapVersion ldapRaw)
......@@ -413,23 +417,20 @@ sub struct {
# SSL
sslParams => {
_nodes => [qw(SSLVar SSLLDAPField SSLRequire)],
SSLVar => 'text:/SSLVar',
SSLLDAPField => 'text:/SSLLDAPField',
SSLRequire => 'bool:/SSLRequire',
},
# OpenID
openIDParams => {
_nodes => [qw(openIdSecret)],
openIdSecret => 'text:/openIdSecret',
_nodes =>
[qw(SSLAuthnLevel SSLVar SSLLDAPField SSLRequire)],
SSLAuthnLevel => 'int:/SSLAuthnLevel',
SSLVar => 'text:/SSLVar',
SSLLDAPField => 'text:/SSLLDAPField',
SSLRequire => 'bool:/SSLRequire',
},
# CAS
casParams => {
_nodes => [
qw(CAS_url CAS_CAFile CAS_renew CAS_gateway CAS_pgtFile cn:CAS_proxiedServices)
qw(CAS_authnLevel CAS_url CAS_CAFile CAS_renew CAS_gateway CAS_pgtFile cn:CAS_proxiedServices)
],
CAS_authnLevel => 'int:/CAS_authnLevel',
CAS_url => 'text:/CAS_url',
CAS_CAFile => 'text:/CAS_CAFile',
CAS_renew => 'bool:/CAS_renew',
......@@ -470,21 +471,29 @@ sub struct {
# OpenID
openIdParams => {
_nodes => [qw(openIdSecret)],
openIdSecret => 'text:/openIdSecret',
_nodes => [qw(openIdAuthnLevel openIdSecret)],
openIdAuthnLevel => 'int:/openIdAuthnLevel',
openIdSecret => 'text:/openIdSecret',
},
# Twitter
twitterParams => {
_nodes => [qw(twitterKey twitterSecret twitterAppName)],
twitterKey => 'text:/twitterKey',
twitterSecret => 'text:/twitterSecret',
twitterAppName => 'text:/twitterAppName',
_nodes => [
qw(twitterAuthnLevel twitterKey twitterSecret twitterAppName)
],
twitterAuthnLevel => 'int:/twitterAuthnLevel',
twitterKey => 'text:/twitterKey',
twitterSecret => 'text:/twitterSecret',
twitterAppName => 'text:/twitterAppName',
},
# DBI
dbiParams => {
_nodes => [qw(n:dbiConnection n:dbiSchema n:dbiPassword)],
_nodes => [
qw(dbiAuthnLevel n:dbiConnection n:dbiSchema n:dbiPassword)
],
dbiAuthnLevel => 'int:/dbiAuthnLevel',
dbiConnection => {
_nodes => [qw(n:dbiConnectionAuth n:dbiConnectionUser)],
......@@ -523,6 +532,19 @@ sub struct {
dbiAuthPasswordHash => 'text:/dbiAuthPasswordHash',
},
},
# Apache
apacheParams => {
_nodes => [qw(apacheAuthnLevel)],
apacheAuthnLevel => 'int:/apacheAuthnLevel',
},
# Null
nullParams => {
_nodes => [qw(nullAuthnLevel)],
nullAuthnLevel => 'int:/nullAuthnLevel',
},
},
# LOGS PARAMETERS
......@@ -978,6 +1000,8 @@ sub testStruct {
return ( 0, $@ );
};
my $boolean = { test => qr/^(?:0|1)?$/, msgFail => 'Value must be 0 or 1' };
my $integer =
{ test => qr/^(?:\d)+$/, msgFail => 'Value must be an integer' };
my $pcre = sub {
my $r = shift;
my $q;
......@@ -1091,7 +1115,8 @@ sub testStruct {
1;
},
},
ldapBase => {
ldapAuthnLevel => $integer,
ldapBase => {
test => qr/^(?:\w+=.*|)$/,
msgFail => 'Bad LDAP base',
},
......@@ -1355,11 +1380,13 @@ sub testStruct {
},
# SSL
SSLVar => $testNotDefined,
SSLLDAPField => $testNotDefined,
SSLRequire => $boolean,
SSLAuthnLevel => $integer,
SSLVar => $testNotDefined,
SSLLDAPField => $testNotDefined,
SSLRequire => $boolean,
# CAS
CAS_authnLevel => $integer,
CAS_url => $testNotDefined,
CAS_CAFile => $testNotDefined,
CAS_renew => $boolean,
......@@ -1387,14 +1414,17 @@ sub testStruct {
soapSessionService => $testNotDefined,
# OpenID
openIdSecret => $testNotDefined,
openIdAuthnLevel => $integer,
openIdSecret => $testNotDefined,
# Twitter
twitterKey => $testNotDefined,
twitterSecret => $testNotDefined,
twitterAppName => $testNotDefined,
twitterAuthnLevel => $integer,
twitterKey => $testNotDefined,
twitterSecret => $testNotDefined,
twitterAppName => $testNotDefined,
# DBI
dbiAuthnLevel => $integer,
dbiAuthChain => $testNotDefined,
dbiAuthUser => $testNotDefined,
dbiAuthPassword => $testNotDefined,
......@@ -1409,6 +1439,12 @@ sub testStruct {
userPivot => $testNotDefined,
dbiAuthPasswordHash => $testNotDefined,
# Apache
apacheAuthnLevel => $integer,
# Null
nullAuthnLevel => $integer,
# Zimbra
zimbraPreAuthKey => $testNotDefined,
zimbraAccountKey => $testNotDefined,
......@@ -1590,6 +1626,15 @@ sub defaultConf {
samlServicePublicKeyEnc => '',
samlMetadataForceUTF8 => 1,
# Authentication levels
ldapAuthnLevel => 2,
dbiAuthnLevel => 2,
SSLAuthnLevel => 5,
CAS_authnLevel => 1,
openIdAuthnLevel => 1,
twitterAuthnLevel => 1,
apacheAuthnLevel => 4,
nullAuthnLevel => 0,
};
}
......
......@@ -48,6 +48,8 @@ __END__
sub en {
return {
advancedParams => 'Advanced parameters',
apacheParams => 'Apache parameters',
apacheAuthnLevel => 'Authentication level',
attributesAndMacros => 'Attributes and macros',
authentication => 'Authentication module',
AuthLDAPFilter => 'Authentication filter',
......@@ -55,6 +57,7 @@ sub en {
dbiAuthChain => 'Chain',
dbiAuthLoginCol => 'Login field name',
dbiAuthMailCol => 'Mail field name',
dbiAuthnLevel => 'Authentication level',
dbiAuthPassword => 'Password',
dbiAuthPasswordCol => 'Password field name',
dbiAuthPasswordHash => 'Hash scheme',
......@@ -71,6 +74,7 @@ sub en {
dbiUserTable => 'User table',
dbiUserUser => 'User',
deleteSession => 'Delete session',
CAS_authnLevel => 'Authentication level',
CAS_CAFile => 'CA file',
CAS_gateway => 'Gateway authentication',
CAS_pgtFile => 'PGT file',
......@@ -113,6 +117,7 @@ sub en {
issuerDBOpenIDActivation => 'Activation',
issuerDBOpenIDPath => 'Path',
issuerDBOpenIDRule => 'Use rule',
ldapAuthnLevel => 'Authentication level',
ldapBase => 'Users search base',
ldapChangePasswordAsUser => 'Change as user',
ldapConnection => 'Connection',
......@@ -156,6 +161,9 @@ sub en {
notificationStorageOptions => 'Storage module parameters',
notifyDeleted => 'Display deleted sessions',
notifyOther => 'Display other sessions',
nullAuthnLevel => 'Authentication level',
nullParams => 'Null parameters',
openIdAuthnLevel => 'Authentication level',
openIdParams => 'OpenID parameters',
openIdSecret => 'Secret token',
passwordDB => 'Password module',
......@@ -200,6 +208,7 @@ sub en {
soapAuthService => 'Portal URL',
soapSessionService => 'SOAP sessions end point',
specialHandlers => 'Special Handlers',
SSLAuthnLevel => 'Authentication level',
SSLLDAPField => 'LDAP attribute used in filter',
sslParams => 'SSL parameters',
SSLRequire => 'SSL Required',
......@@ -214,6 +223,7 @@ sub en {
timeoutActivity => 'Sessions activity timeout',
trustedDomains => 'Trusted domains',
twitterAppName => 'Application name',
twitterAuthnLevel => 'Authentication level',
twitterKey => 'API key',
twitterParams => 'Twitter parameters',
twitterSecret => 'API secret',
......@@ -348,6 +358,8 @@ sub fr {
use utf8;
return {
advancedParams => 'Paramètres avancés',
apacheParams => 'Paramètres Apache',
apacheAuthnLevel => 'Niveau d\'authentification',
attributesAndMacros => 'Attributs et macros',
authentication => "Module d'authentification",
AuthLDAPFilter => 'Filtre d\'authentification',
......@@ -355,6 +367,7 @@ sub fr {
dbiAuthChain => 'Chaîne',
dbiAuthLoginCol => 'Champ identifiant',
dbiAuthMailCol => 'Champ mail',
dbiAuthnLevel => 'Niveau d\'authentification',
dbiAuthPassword => 'Mot de passe',
dbiAuthPasswordCol => 'Champ mot de passe',
dbiAuthPasswordHash => 'Schéma de hachage',
......@@ -371,6 +384,7 @@ sub fr {
dbiUserTable => 'Table des utilisateurs',
dbiUserUser => 'Utilisateur',
deleteSession => 'Effacer la session',
CAS_authnLevel => 'Niveau d\'authentification',
CAS_CAFile => 'Fichier d\'AC',
CAS_gateway => 'Authentification transparente',
CAS_pgtFile => 'Fichier de PGT',
......@@ -413,6 +427,7 @@ sub fr {
issuerDBOpenIDActivation => 'Activation',
issuerDBOpenIDPath => 'Chemin',
issuerDBOpenIDRule => 'Règle d\'utilisation',
ldapAuthnLevel => 'Niveau d\'authentification',
ldapBase => 'Base de recherche des utilisateurs',
ldapChangePasswordAsUser => 'Changement en tant qu\'utilisateur',
ldapConnection => 'Connexion',
......@@ -456,6 +471,9 @@ sub fr {
notificationStorageOptions => 'Paramètres du module de stockage',
notifyDeleted => 'Affiche les sessions effacées',
notifyOther => 'Affiche les autres sessions',
nullAuthnLevel => 'Niveau d\'authentification',
nullParams => 'Paramètres Null',
openIdAuthnLevel => 'Niveau d\'authentification',
openIdParams => 'Paramètres OpenID',
openIdSecret => 'Jeton secret',
passwordDB => 'Module de mot de passe',
......@@ -501,31 +519,33 @@ sub fr {
soapAuthService => 'URL du portail',
soapSessionService => 'Point d\'accès SOAP des sessions',
specialHandlers => 'Handlers spéciaux',
SSLAuthnLevel => 'Niveau d\'authentification',
SSLLDAPField => 'Attribut LDAP pour le filtre',
sslParams => 'Paramètres SSL',
SSLRequire => 'SSL Requis',
SSLVar => 'Champ extrait du certificat',
storePassword =>
"Stocke le mot-de-passe de l'utilisateur dans les données de session",
sympaHandler => 'Sympa',
sympaMailKey => 'Clé de session pour le mail',
sympaSecret => 'Secret partagé',
syntaxError => 'Erreur de syntaxe',
syslog => 'Facilité syslog',
timeout => 'Durée de vie maximale des sessions',
timeoutActivity => 'Délai d\'expiration des sessions',
trustedDomains => 'Domaines appouvés',
twitterAppName => 'Nom de l\'application',
twitterKey => 'Clé de l\'API',
twitterParams => 'Paramètres Twitter',
twitterSecret => 'Secret de l\'API',
unknownError => 'Erreur inconnue',
uploadDenied => 'Téléchargement refusé',
user => 'utilisateur',
users => 'utilisateurs',
userDB => "Module d'utilisateurs",
userControl => "Contrôle du nom d'utilisateur",
userPivot => 'Champ identifiant dans la table des utilisateurs',
sympaHandler => 'Sympa',
sympaMailKey => 'Clé de session pour le mail',
sympaSecret => 'Secret partagé',
syntaxError => 'Erreur de syntaxe',
syslog => 'Facilité syslog',
timeout => 'Durée de vie maximale des sessions',
timeoutActivity => 'Délai d\'expiration des sessions',
trustedDomains => 'Domaines appouvés',
twitterAppName => 'Nom de l\'application',
twitterAuthnLevel => 'Niveau d\'authentification',
twitterKey => 'Clé de l\'API',
twitterParams => 'Paramètres Twitter',
twitterSecret => 'Secret de l\'API',
unknownError => 'Erreur inconnue',
uploadDenied => 'Téléchargement refusé',
user => 'utilisateur',
users => 'utilisateurs',
userDB => "Module d'utilisateurs",
userControl => "Contrôle du nom d'utilisateur",
userPivot => 'Champ identifiant dans la table des utilisateurs',
useXForwardedForIP =>
"Utiliser l'adresse IP de l'en-tête X-Forwarded-For",
variables => "Variables",
......
......@@ -43,8 +43,7 @@ sub setAuthSessionInfo {
# Store user submitted login for basic rules
$self->{sessionInfo}->{'_user'} = $self->{'user'};
# authenticationLevel 4 for Apache authentication
$self->{sessionInfo}->{authenticationLevel} = 4;
$self->{sessionInfo}->{authenticationLevel} = $self->{apacheAuthnLevel};
PE_OK;
}
......
......@@ -154,8 +154,7 @@ sub setAuthSessionInfo {
# Store user submitted login for basic rules
$self->{sessionInfo}->{'_user'} = $self->{'user'};
# authenticationLevel 1 for external authentication
$self->{sessionInfo}->{authenticationLevel} = 1;
$self->{sessionInfo}->{authenticationLevel} = $self->{CAS_authnLevel};
PE_OK;
}
......
......@@ -28,6 +28,8 @@ sub authInit {
return PE_ERROR;
}
$self->{_authnLevel} = $self->{dbiAuthnLevel};
PE_OK;
}
......
......@@ -17,9 +17,13 @@ use base qw(Lemonldap::NG::Portal::_WebForm);
*_search = *Lemonldap::NG::Portal::UserDBLDAP::search;
## @apmethod int authInit()
# Load Net::LDAP::Control::PasswordPolicy if needed
# Set _authnLevel
# @return Lemonldap::NG::Portal constant
sub authInit {
my $self = shift;
$self->{_authnLevel} = $self->{ldapAuthnLevel};
PE_OK;
}
......
......@@ -24,7 +24,7 @@ sub setAuthSessionInfo {
my $self = shift;
$self->{sessionInfo}->{'_user'} = 'anonymous';
$self->{sessionInfo}->{authenticationLevel} = 0;
$self->{sessionInfo}->{authenticationLevel} = $self->{nullAuthnLevel};
PE_OK;
}
......
......@@ -123,8 +123,7 @@ sub setAuthSessionInfo {
$self->{sessionInfo}->{'_user'} = $self->{user};
# Since OpenID doesn't share authentication level, falling to 1
$self->{sessionInfo}->{authenticationLevel} = 1;
$self->{sessionInfo}->{authenticationLevel} = $self->{openIdAuthnLevel};
PE_OK;
}
......
......@@ -61,8 +61,7 @@ sub setAuthSessionInfo {
# Store user certificate login for basic rules
$self->{sessionInfo}->{'_user'} = $self->{'user'};
# authenticationLevel 5 for SSL
$self->{sessionInfo}->{authenticationLevel} = 5;
$self->{sessionInfo}->{authenticationLevel} = $self->{SSLAuthnLevel};
PE_OK;
}
......@@ -73,7 +72,8 @@ sub setAuthSessionInfo {
sub authenticate {
my $self = shift;
if ( $self->{sessionInfo}->{authenticationLevel}
and $self->{sessionInfo}->{authenticationLevel} > 4 )
and $self->{sessionInfo}->{authenticationLevel} >=
$self->{SSLAuthnLevel} )
{
return PE_OK;
}
......
......@@ -134,8 +134,7 @@ sub setAuthSessionInfo {
$self->{sessionInfo}->{$_} = $self->{twitterUser}->{$_};
}
# authenticationLevel 1 for external authentication
$self->{sessionInfo}->{authenticationLevel} = 1;
$self->{sessionInfo}->{authenticationLevel} = $self->{twitterAuthnLevel};
PE_OK;
}
......
......@@ -487,6 +487,17 @@ sub setDefaultValues {
# CAS
$self->{casStorage} ||= $self->{globalStorage};
$self->{casStorageOptions} ||= $self->{globalStorageOptions};
# Authentication levels
$self->{ldapAuthnLevel} = 2 unless defined $self->{ldapAuthnLevel};
$self->{dbiAuthnLevel} = 2 unless defined $self->{dbiAuthnLevel};
$self->{SSLAuthnLevel} = 5 unless defined $self->{SSLAuthnLevel};
$self->{CAS_authnLevel} = 1 unless defined $self->{CAS_authnLevel};
$self->{openIdAuthnLevel} = 1 unless defined $self->{openIdAuthnLevel};
$self->{twitterAuthnLevel} = 1 unless defined $self->{twitterAuthnLevel};
$self->{apacheAuthnLevel} = 4 unless defined $self->{apacheAuthnLevel};
$self->{nullAuthnLevel} = 2 unless defined $self->{nullAuthnLevel};
}
## @method protected void setHiddenFormValue(string fieldname, string value, string prefix, boolean base64)
......
......@@ -45,11 +45,13 @@ sub setAuthSessionInfo {
my $self = shift;
# authenticationLevel
# 1 for user/password with HTTP and password can be remebered
# 2 for user/password with HTTP
# 3 for user/password with HTTPS
$self->{sessionInfo}->{authenticationLevel} =
( $self->https() ? 3 : ( $self->{portalAutocomplete} ? 1 : 2 ) );
# -1 if password can be remebered
# +1 for user/password with HTTPS
$self->{_authnLevel} ||= 0;
$self->{_authnLevel} += 1 if $self->https();
$self->{_authnLevel} -= 1 if $self->{portalAutocomplete};
$self->{sessionInfo}->{authenticationLevel} = $self->{_authnLevel};
# Store user submitted login for basic rules
$self->{sessionInfo}->{'_user'} = $self->{'user'};
......
......@@ -405,8 +405,8 @@ sub msg_fr {
'Redirection en cours...',
'Retourner sur le fournisseur de service',
'Le service duquel vous arrivez a fourni un lien que vous êtes invité à suivre',
'Déconnexion des autres applications...'
'Souhaitez-vous vous identifier sur ce site ?',
'Déconnexion des autres applications...',
'Souhaitez-vous vous identifier sur ce site ?',
];
}
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment