Commit ff0c8029 authored by Xavier Guimard's avatar Xavier Guimard

Change oidc content key for removal (#1431)

parent 31d3b1e7
......@@ -123,6 +123,8 @@ sub defaultValues {
'max2FDevices' => 10,
'max2FDevicesNameLength' => 20,
'multiValuesSeparator' => '; ',
'mySessionAuthorizedRWKeys' =>
[ '_appsListOrder', '_oidcConnectedRP', '_oidc_consent_*' ],
'notificationStorage' => 'File',
'notificationStorageOptions' => {
'dirName' => '/var/lib/lemonldap-ng/notifications'
......
......@@ -123,8 +123,12 @@ sub BUILD {
if ( $self->{info} ) {
foreach ( keys %{ $self->{info} } ) {
$data->{$_} = $self->{info}->{$_}
if ( defined $self->{info}->{$_} );
if ( defined $self->{info}->{$_} ) {
$data->{$_} = $self->{info}->{$_};
}
else {
delete $data->{$_};
}
}
delete $self->{info};
}
......
......@@ -5,6 +5,11 @@ our $VERSION = '2.0.0';
sub types {
return {
'array' => {
'test' => sub {
1;
}
},
'authParamsText' => {
'test' => sub {
1;
......@@ -1592,6 +1597,11 @@ qr/^(?:\*\.)?(?:(?:(?:(?:[a-zA-Z0-9][-a-zA-Z0-9]*)?[a-zA-Z0-9])[.])*(?:[a-zA-Z][
'default' => '; ',
'type' => 'authParamsText'
},
'mySessionAuthorizedRWKeys' => {
'default' =>
[ '_appsListOrder', '_oidcConnectedRP', '_oidc_consent_*' ],
'type' => 'array'
},
'nginxCustomHandlers' => {
'keyTest' => qr/^\w+$/,
'msgFail' => '__badPerlPackageName__',
......
......@@ -208,6 +208,9 @@ sub types {
samlService => {
test => sub { 1 }
},
array => {
test => sub { 1 }
},
};
}
......@@ -222,6 +225,12 @@ sub attributes {
default => 600,
flags => 'hp',
},
mySessionAuthorizedRWKeys => {
type => 'array',
documentation => 'Alterable session keys by user itself',
default =>
[ '_appsListOrder', '_oidcConnectedRP', '_oidc_consent_*' ],
},
configStorage => {
type => 'text',
documentation => 'Configuration storage',
......
......@@ -17,7 +17,7 @@ sub init {
my ($self) = @_;
$self->conf->{remoteCookieName} ||= $self->conf->{cookieName};
$self->conf->{proxySessionService} ||=
$self->conf->{proxyAuthService} . '/mysession';
$self->conf->{proxyAuthService} . '/session/my';
$self->conf->{proxySessionService} =~ s#/*$##;
$self->ua( Lemonldap::NG::Common::UserAgent->new( $self->conf ) );
$self->ua->default_header( Accept => 'application/json' );
......
......@@ -10,9 +10,9 @@
# * DELETE /sessions/<type>/<session-id> : delete a session
#
# - Sessions for connected users (if restSessionServer is on):
# * GET /mysession/<type> : get session datas
# * GET /mysession/<type>/key : get session key
# * DELETE /mysession : ask for logout
# * GET /session/my/<type> : get session datas
# * GET /session/my/<type>/key : get session key
# * DELETE /session/my : ask for logout
#
# - Authentication
# * POST /sessions/<type>/<session-id>?auth : authenticate with a fixed
......@@ -34,7 +34,9 @@
# * GET /mysession/?authorizationfor=<base64-encoded-url>: ask if url is
# authorizated
# * PUT /mysession/<type> : update some
# persistent datas
# persistent data
# (restricted)
# * DELETE /mysession/<type>/key : delete key in data
# (restricted)
#
# There is no conflict with SOAP server, they can be used together
......@@ -148,11 +150,11 @@ sub init {
sessions => { ':sessionType' => 'delSession' },
['DELETE']
);
$self->addAuthRoute(
mysession => { ':sessionType' => 'getMyKey' },
session => { my => { ':sessionType' => 'getMyKey' } },
[ 'GET', 'POST' ]
);
$self->addAuthRoute( mysession => 'delMySession', ['DELETE'] );
}
# Methods always available
......@@ -160,6 +162,10 @@ sub init {
mysession => { '*' => 'mysession' },
[ 'GET', 'POST' ]
);
$self->addAuthRoute(
mysession => { ':key' => 'delKeyInMySession', '*' => 'delMySession' },
['DELETE']
);
$self->addAuthRoute(
mysession => { ':sessionType' => 'updateMySession' },
['PUT']
......@@ -357,8 +363,17 @@ sub updateMySession {
if ( my $token = $req->param('token') ) {
if ( $self->ott->getToken($token) ) {
if ( $req->param('sessionType') eq 'persistent' ) {
foreach my $key (qw(_appsListOrder _oidcConnectedRP)) {
my $v = $req->param($key);
foreach my $key ( $self->conf->{mySessionAuthorizedRWKeys} ) {
my $v;
if ( $key =~ /\*/ ) {
$key =~ s/\*/\.\*/g;
if ( my ($k) = grep( /$key/, $req->params ) ) {
$v = $req->param($k);
}
}
else {
$v = $req->param($key);
}
if ( defined $v ) {
$res++;
push @$mKeys, $key;
......@@ -382,4 +397,43 @@ sub updateMySession {
{ result => 1, count => $res, modifiedKeys => $mKeys } );
}
sub delKeyInMySession {
my ( $self, $req ) = @_;
my $res = 0;
my $mKeys = [];
my $dkey = $req->param('key');
if ( my $token = $req->param('token') ) {
if ( $self->ott->getToken($token) ) {
if ( $req->param('sessionType') eq 'persistent' ) {
foreach my $key ( $self->conf->{mySessionAuthorizedRWKeys} ) {
if ( $key =~ /\*/ ) {
$key =~ s/\*/\.\*/g;
if ( $dkey =~ /$key/ ) {
$res++;
}
}
elsif ( $dkey eq $key ) {
$res++;
}
}
if ($res) {
$self->p->updatePersistentSession( $req,
{ $dkey => undef } );
}
}
}
else {
$self->logger->error('Update session request with invalid token');
}
}
else {
$self->logger->error('Update session request without token');
}
unless ($res) {
return $self->p->sendError( $req, 'Modification refused', 403 );
}
return $self->p->sendJSONresponse( $req,
{ result => 1, count => $res, modifiedKeys => $dkey } );
}
1;
......@@ -60,15 +60,27 @@ setOrder = ->
# Function used to remove an OIDC consent
removeOidcConsent = (partner) ->
r = new RegExp "\b#{partner}\b,?", 'g'
datas['oidcConsents'] = datas['oidcConsents'].replace(r,'').replace(/,$/,'')
setKey '_oidcConnectedRP', datas['oidcConsents']
#r = new RegExp "\b#{partner}\b,?", 'g'
#datas['oidcConsents'] = datas['oidcConsents'].replace(r,'').replace(/,$/,'')
#setKey '_oidcConnectedRP', datas['oidcConsents']
# # Success
# , () ->
# $("[partner='#{partner}']").hide()
# # Error
# , (j,s,e) ->
# alert "#{s} #{e}"
e = (j,s,e) ->
alert "#{s} #{e}"
delKey "_oidc_consent_time_#{partner}"
# Success
, () ->
delKey "_oidc_consent_scope_#{partner}"
# Success
, () ->
$("[partner='#{partner}']").hide()
# Error
, (j,s,e) ->
alert "#{s} #{e}"
, e
, e
# Function used by setOrder() and removeOidcConsent() to push new values
# For security reason, modification is rejected unless a valid token is given
......@@ -92,6 +104,21 @@ setKey = (key,val,success,error) ->
success: success
error: error
delKey = (key,success,error) ->
$.ajax
type: "GET"
url: datas['scriptname'] + '/mysession/?gettoken'
dataType: 'json'
error: error
# On success, value is set
success: (data) ->
$.ajax
type: "DELETE"
url: "#{datas['scriptname']}/mysession/persistent/#{key}?token=#{data.token}"
dataType: 'json'
success: success
error: error
# function that restores the list order from session
restoreOrder = ->
list = $(setSelector)
......
......@@ -5,7 +5,7 @@ LemonLDAP::NG Portal jQuery scripts
*/
(function() {
var datas, getCookie, getValues, isHiddenFormValueSet, ping, removeOidcConsent, restoreOrder, setCookie, setKey, setOrder, setSelector, translate, translatePage, translationFields,
var datas, delKey, getCookie, getValues, isHiddenFormValueSet, ping, removeOidcConsent, restoreOrder, setCookie, setKey, setOrder, setSelector, translate, translatePage, translationFields,
indexOf = [].indexOf || function(item) { for (var i = 0, l = this.length; i < l; i++) { if (i in this && this[i] === item) return i; } return -1; };
translationFields = {};
......@@ -75,14 +75,15 @@ LemonLDAP::NG Portal jQuery scripts
};
removeOidcConsent = function(partner) {
var r;
r = new RegExp("\b" + partner + "\b,?", 'g');
datas['oidcConsents'] = datas['oidcConsents'].replace(r, '').replace(/,$/, '');
return setKey('_oidcConnectedRP', datas['oidcConsents'], function() {
return $("[partner='" + partner + "']").hide();
}, function(j, s, e) {
var e;
e = function(j, s, e) {
return alert(s + " " + e);
});
};
return delKey("_oidc_consent_time_" + partner, function() {
return delKey("_oidc_consent_scope_" + partner, function() {
return $("[partner='" + partner + "']").hide();
}, e);
}, e);
};
setKey = function(key, val, success, error) {
......@@ -109,6 +110,24 @@ LemonLDAP::NG Portal jQuery scripts
});
};
delKey = function(key, success, error) {
return $.ajax({
type: "GET",
url: datas['scriptname'] + '/mysession/?gettoken',
dataType: 'json',
error: error,
success: function(data) {
return $.ajax({
type: "DELETE",
url: datas['scriptname'] + "/mysession/persistent/" + key + "?token=" + data.token,
dataType: 'json',
success: success,
error: error
});
}
});
};
restoreOrder = function() {
var IDs, child, i, item, itemID, items, l, len, len1, list, rebuild, savedOrd, v;
list = $(setSelector);
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment