Commit ff0c8029 authored by Xavier Guimard's avatar Xavier Guimard

Change oidc content key for removal (#1431)

parent 31d3b1e7
...@@ -111,18 +111,20 @@ sub defaultValues { ...@@ -111,18 +111,20 @@ sub defaultValues {
'locationRules' => { 'locationRules' => {
'default' => 'deny' 'default' => 'deny'
}, },
'logoutServices' => {}, 'logoutServices' => {},
'macros' => {}, 'macros' => {},
'mailCharset' => 'utf-8', 'mailCharset' => 'utf-8',
'mailFrom' => 'noreply@example.com', 'mailFrom' => 'noreply@example.com',
'mailSessionKey' => 'mail', 'mailSessionKey' => 'mail',
'mailTimeout' => 0, 'mailTimeout' => 0,
'mailUrl' => 'http://auth.example.com/resetpwd', 'mailUrl' => 'http://auth.example.com/resetpwd',
'managerDn' => '', 'managerDn' => '',
'managerPassword' => '', 'managerPassword' => '',
'max2FDevices' => 10, 'max2FDevices' => 10,
'max2FDevicesNameLength' => 20, 'max2FDevicesNameLength' => 20,
'multiValuesSeparator' => '; ', 'multiValuesSeparator' => '; ',
'mySessionAuthorizedRWKeys' =>
[ '_appsListOrder', '_oidcConnectedRP', '_oidc_consent_*' ],
'notificationStorage' => 'File', 'notificationStorage' => 'File',
'notificationStorageOptions' => { 'notificationStorageOptions' => {
'dirName' => '/var/lib/lemonldap-ng/notifications' 'dirName' => '/var/lib/lemonldap-ng/notifications'
......
...@@ -123,8 +123,12 @@ sub BUILD { ...@@ -123,8 +123,12 @@ sub BUILD {
if ( $self->{info} ) { if ( $self->{info} ) {
foreach ( keys %{ $self->{info} } ) { foreach ( keys %{ $self->{info} } ) {
$data->{$_} = $self->{info}->{$_} if ( defined $self->{info}->{$_} ) {
if ( defined $self->{info}->{$_} ); $data->{$_} = $self->{info}->{$_};
}
else {
delete $data->{$_};
}
} }
delete $self->{info}; delete $self->{info};
} }
......
...@@ -5,6 +5,11 @@ our $VERSION = '2.0.0'; ...@@ -5,6 +5,11 @@ our $VERSION = '2.0.0';
sub types { sub types {
return { return {
'array' => {
'test' => sub {
1;
}
},
'authParamsText' => { 'authParamsText' => {
'test' => sub { 'test' => sub {
1; 1;
...@@ -1592,6 +1597,11 @@ qr/^(?:\*\.)?(?:(?:(?:(?:[a-zA-Z0-9][-a-zA-Z0-9]*)?[a-zA-Z0-9])[.])*(?:[a-zA-Z][ ...@@ -1592,6 +1597,11 @@ qr/^(?:\*\.)?(?:(?:(?:(?:[a-zA-Z0-9][-a-zA-Z0-9]*)?[a-zA-Z0-9])[.])*(?:[a-zA-Z][
'default' => '; ', 'default' => '; ',
'type' => 'authParamsText' 'type' => 'authParamsText'
}, },
'mySessionAuthorizedRWKeys' => {
'default' =>
[ '_appsListOrder', '_oidcConnectedRP', '_oidc_consent_*' ],
'type' => 'array'
},
'nginxCustomHandlers' => { 'nginxCustomHandlers' => {
'keyTest' => qr/^\w+$/, 'keyTest' => qr/^\w+$/,
'msgFail' => '__badPerlPackageName__', 'msgFail' => '__badPerlPackageName__',
......
...@@ -208,6 +208,9 @@ sub types { ...@@ -208,6 +208,9 @@ sub types {
samlService => { samlService => {
test => sub { 1 } test => sub { 1 }
}, },
array => {
test => sub { 1 }
},
}; };
} }
...@@ -220,7 +223,13 @@ sub attributes { ...@@ -220,7 +223,13 @@ sub attributes {
documentation => documentation =>
'Timeout to check new configuration in local cache', 'Timeout to check new configuration in local cache',
default => 600, default => 600,
flags => 'hp', flags => 'hp',
},
mySessionAuthorizedRWKeys => {
type => 'array',
documentation => 'Alterable session keys by user itself',
default =>
[ '_appsListOrder', '_oidcConnectedRP', '_oidc_consent_*' ],
}, },
configStorage => { configStorage => {
type => 'text', type => 'text',
......
...@@ -17,7 +17,7 @@ sub init { ...@@ -17,7 +17,7 @@ sub init {
my ($self) = @_; my ($self) = @_;
$self->conf->{remoteCookieName} ||= $self->conf->{cookieName}; $self->conf->{remoteCookieName} ||= $self->conf->{cookieName};
$self->conf->{proxySessionService} ||= $self->conf->{proxySessionService} ||=
$self->conf->{proxyAuthService} . '/mysession'; $self->conf->{proxyAuthService} . '/session/my';
$self->conf->{proxySessionService} =~ s#/*$##; $self->conf->{proxySessionService} =~ s#/*$##;
$self->ua( Lemonldap::NG::Common::UserAgent->new( $self->conf ) ); $self->ua( Lemonldap::NG::Common::UserAgent->new( $self->conf ) );
$self->ua->default_header( Accept => 'application/json' ); $self->ua->default_header( Accept => 'application/json' );
......
...@@ -10,9 +10,9 @@ ...@@ -10,9 +10,9 @@
# * DELETE /sessions/<type>/<session-id> : delete a session # * DELETE /sessions/<type>/<session-id> : delete a session
# #
# - Sessions for connected users (if restSessionServer is on): # - Sessions for connected users (if restSessionServer is on):
# * GET /mysession/<type> : get session datas # * GET /session/my/<type> : get session datas
# * GET /mysession/<type>/key : get session key # * GET /session/my/<type>/key : get session key
# * DELETE /mysession : ask for logout # * DELETE /session/my : ask for logout
# #
# - Authentication # - Authentication
# * POST /sessions/<type>/<session-id>?auth : authenticate with a fixed # * POST /sessions/<type>/<session-id>?auth : authenticate with a fixed
...@@ -34,7 +34,9 @@ ...@@ -34,7 +34,9 @@
# * GET /mysession/?authorizationfor=<base64-encoded-url>: ask if url is # * GET /mysession/?authorizationfor=<base64-encoded-url>: ask if url is
# authorizated # authorizated
# * PUT /mysession/<type> : update some # * PUT /mysession/<type> : update some
# persistent datas # persistent data
# (restricted)
# * DELETE /mysession/<type>/key : delete key in data
# (restricted) # (restricted)
# #
# There is no conflict with SOAP server, they can be used together # There is no conflict with SOAP server, they can be used together
...@@ -148,11 +150,11 @@ sub init { ...@@ -148,11 +150,11 @@ sub init {
sessions => { ':sessionType' => 'delSession' }, sessions => { ':sessionType' => 'delSession' },
['DELETE'] ['DELETE']
); );
$self->addAuthRoute( $self->addAuthRoute(
mysession => { ':sessionType' => 'getMyKey' }, session => { my => { ':sessionType' => 'getMyKey' } },
[ 'GET', 'POST' ] [ 'GET', 'POST' ]
); );
$self->addAuthRoute( mysession => 'delMySession', ['DELETE'] );
} }
# Methods always available # Methods always available
...@@ -160,6 +162,10 @@ sub init { ...@@ -160,6 +162,10 @@ sub init {
mysession => { '*' => 'mysession' }, mysession => { '*' => 'mysession' },
[ 'GET', 'POST' ] [ 'GET', 'POST' ]
); );
$self->addAuthRoute(
mysession => { ':key' => 'delKeyInMySession', '*' => 'delMySession' },
['DELETE']
);
$self->addAuthRoute( $self->addAuthRoute(
mysession => { ':sessionType' => 'updateMySession' }, mysession => { ':sessionType' => 'updateMySession' },
['PUT'] ['PUT']
...@@ -357,8 +363,17 @@ sub updateMySession { ...@@ -357,8 +363,17 @@ sub updateMySession {
if ( my $token = $req->param('token') ) { if ( my $token = $req->param('token') ) {
if ( $self->ott->getToken($token) ) { if ( $self->ott->getToken($token) ) {
if ( $req->param('sessionType') eq 'persistent' ) { if ( $req->param('sessionType') eq 'persistent' ) {
foreach my $key (qw(_appsListOrder _oidcConnectedRP)) { foreach my $key ( $self->conf->{mySessionAuthorizedRWKeys} ) {
my $v = $req->param($key); my $v;
if ( $key =~ /\*/ ) {
$key =~ s/\*/\.\*/g;
if ( my ($k) = grep( /$key/, $req->params ) ) {
$v = $req->param($k);
}
}
else {
$v = $req->param($key);
}
if ( defined $v ) { if ( defined $v ) {
$res++; $res++;
push @$mKeys, $key; push @$mKeys, $key;
...@@ -382,4 +397,43 @@ sub updateMySession { ...@@ -382,4 +397,43 @@ sub updateMySession {
{ result => 1, count => $res, modifiedKeys => $mKeys } ); { result => 1, count => $res, modifiedKeys => $mKeys } );
} }
sub delKeyInMySession {
my ( $self, $req ) = @_;
my $res = 0;
my $mKeys = [];
my $dkey = $req->param('key');
if ( my $token = $req->param('token') ) {
if ( $self->ott->getToken($token) ) {
if ( $req->param('sessionType') eq 'persistent' ) {
foreach my $key ( $self->conf->{mySessionAuthorizedRWKeys} ) {
if ( $key =~ /\*/ ) {
$key =~ s/\*/\.\*/g;
if ( $dkey =~ /$key/ ) {
$res++;
}
}
elsif ( $dkey eq $key ) {
$res++;
}
}
if ($res) {
$self->p->updatePersistentSession( $req,
{ $dkey => undef } );
}
}
}
else {
$self->logger->error('Update session request with invalid token');
}
}
else {
$self->logger->error('Update session request without token');
}
unless ($res) {
return $self->p->sendError( $req, 'Modification refused', 403 );
}
return $self->p->sendJSONresponse( $req,
{ result => 1, count => $res, modifiedKeys => $dkey } );
}
1; 1;
...@@ -60,15 +60,27 @@ setOrder = -> ...@@ -60,15 +60,27 @@ setOrder = ->
# Function used to remove an OIDC consent # Function used to remove an OIDC consent
removeOidcConsent = (partner) -> removeOidcConsent = (partner) ->
r = new RegExp "\b#{partner}\b,?", 'g' #r = new RegExp "\b#{partner}\b,?", 'g'
datas['oidcConsents'] = datas['oidcConsents'].replace(r,'').replace(/,$/,'') #datas['oidcConsents'] = datas['oidcConsents'].replace(r,'').replace(/,$/,'')
setKey '_oidcConnectedRP', datas['oidcConsents'] #setKey '_oidcConnectedRP', datas['oidcConsents']
# # Success
# , () ->
# $("[partner='#{partner}']").hide()
# # Error
# , (j,s,e) ->
# alert "#{s} #{e}"
e = (j,s,e) ->
alert "#{s} #{e}"
delKey "_oidc_consent_time_#{partner}"
# Success # Success
, () -> , () ->
$("[partner='#{partner}']").hide() delKey "_oidc_consent_scope_#{partner}"
# Error # Success
, (j,s,e) -> , () ->
alert "#{s} #{e}" $("[partner='#{partner}']").hide()
# Error
, e
, e
# Function used by setOrder() and removeOidcConsent() to push new values # Function used by setOrder() and removeOidcConsent() to push new values
# For security reason, modification is rejected unless a valid token is given # For security reason, modification is rejected unless a valid token is given
...@@ -92,6 +104,21 @@ setKey = (key,val,success,error) -> ...@@ -92,6 +104,21 @@ setKey = (key,val,success,error) ->
success: success success: success
error: error error: error
delKey = (key,success,error) ->
$.ajax
type: "GET"
url: datas['scriptname'] + '/mysession/?gettoken'
dataType: 'json'
error: error
# On success, value is set
success: (data) ->
$.ajax
type: "DELETE"
url: "#{datas['scriptname']}/mysession/persistent/#{key}?token=#{data.token}"
dataType: 'json'
success: success
error: error
# function that restores the list order from session # function that restores the list order from session
restoreOrder = -> restoreOrder = ->
list = $(setSelector) list = $(setSelector)
......
...@@ -5,7 +5,7 @@ LemonLDAP::NG Portal jQuery scripts ...@@ -5,7 +5,7 @@ LemonLDAP::NG Portal jQuery scripts
*/ */
(function() { (function() {
var datas, getCookie, getValues, isHiddenFormValueSet, ping, removeOidcConsent, restoreOrder, setCookie, setKey, setOrder, setSelector, translate, translatePage, translationFields, var datas, delKey, getCookie, getValues, isHiddenFormValueSet, ping, removeOidcConsent, restoreOrder, setCookie, setKey, setOrder, setSelector, translate, translatePage, translationFields,
indexOf = [].indexOf || function(item) { for (var i = 0, l = this.length; i < l; i++) { if (i in this && this[i] === item) return i; } return -1; }; indexOf = [].indexOf || function(item) { for (var i = 0, l = this.length; i < l; i++) { if (i in this && this[i] === item) return i; } return -1; };
translationFields = {}; translationFields = {};
...@@ -75,14 +75,15 @@ LemonLDAP::NG Portal jQuery scripts ...@@ -75,14 +75,15 @@ LemonLDAP::NG Portal jQuery scripts
}; };
removeOidcConsent = function(partner) { removeOidcConsent = function(partner) {
var r; var e;
r = new RegExp("\b" + partner + "\b,?", 'g'); e = function(j, s, e) {
datas['oidcConsents'] = datas['oidcConsents'].replace(r, '').replace(/,$/, '');
return setKey('_oidcConnectedRP', datas['oidcConsents'], function() {
return $("[partner='" + partner + "']").hide();
}, function(j, s, e) {
return alert(s + " " + e); return alert(s + " " + e);
}); };
return delKey("_oidc_consent_time_" + partner, function() {
return delKey("_oidc_consent_scope_" + partner, function() {
return $("[partner='" + partner + "']").hide();
}, e);
}, e);
}; };
setKey = function(key, val, success, error) { setKey = function(key, val, success, error) {
...@@ -109,6 +110,24 @@ LemonLDAP::NG Portal jQuery scripts ...@@ -109,6 +110,24 @@ LemonLDAP::NG Portal jQuery scripts
}); });
}; };
delKey = function(key, success, error) {
return $.ajax({
type: "GET",
url: datas['scriptname'] + '/mysession/?gettoken',
dataType: 'json',
error: error,
success: function(data) {
return $.ajax({
type: "DELETE",
url: datas['scriptname'] + "/mysession/persistent/" + key + "?token=" + data.token,
dataType: 'json',
success: success,
error: error
});
}
});
};
restoreOrder = function() { restoreOrder = function() {
var IDs, child, i, item, itemID, items, l, len, len1, list, rebuild, savedOrd, v; var IDs, child, i, item, itemID, items, l, len, len1, list, rebuild, savedOrd, v;
list = $(setSelector); list = $(setSelector);
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment