Commit 5055b180 authored by Christophe Maudoux's avatar Christophe Maudoux

Restore OIDC activation global rule (#1625) & Improve unit test

parent b36db970
......@@ -12,6 +12,7 @@ use Lemonldap::NG::Portal::Main::Constants qw(
PE_REDIRECT
PE_OK
PE_UNAUTHORIZEDPARTNER
PE_OIDC_SERVICE_NOT_ALLOWED
);
our $VERSION = '2.0.1';
......@@ -28,6 +29,7 @@ sub beforeAuth { 'exportRequestParameters' }
use constant sessionKind => 'OIDCI';
has rule => ( is => 'rw', default => sub { {} } );
has configStorage => (
is => 'ro',
lazy => 1,
......@@ -35,7 +37,6 @@ has configStorage => (
$_[0]->{p}->HANDLER->localConfig->{configStorage};
}
);
has ssoMatchUrl => ( is => 'rw' );
# OIDC has 7 endpoints managed here as PSGI endpoints or in run() [Main/Issuer.pm
......@@ -56,6 +57,17 @@ has ssoMatchUrl => ( is => 'rw' );
sub init {
my ($self) = @_;
# Parse activation rule
my $hd = $self->p->HANDLER;
$self->logger->debug( "OIDC rule -> " . $self->conf->{issuerDBOpenIDConnectRule} );
my $rule
= $hd->buildSub( $hd->substitute( $self->conf->{issuerDBOpenIDConnectRule} ) );
unless ($rule) {
$self->error( "Bad OIDC rule -> " . $hd->tsv->{jail}->error );
return 0;
}
$self->{rule} = $rule;
# Initialize RP list
return 0
unless ( $self->Lemonldap::NG::Portal::Main::Issuer::init()
......@@ -113,6 +125,13 @@ sub ssoMatch {
# run() manages only "authorize" and "logout" endpoints.
sub run {
my ( $self, $req, $path ) = @_;
# Check activation rule
unless ( $self->rule->( $req, $req->sessionInfo ) ) {
$self->userLogger->error('OIDC service not authorized');
return PE_OIDC_SERVICE_NOT_ALLOWED;
}
if ($path) {
# Convert old format OIDC Consents
......
......@@ -137,7 +137,8 @@ sub op {
portal => 'http://auth.op.com',
authentication => 'Demo',
userDB => 'Same',
issuerDBOpenIDConnectActivation => "1",
issuerDBOpenIDConnectActivation => 1,
issuerDBOpenIDConnectRule => '$uid eq "french"',
oidcRPMetaDataExportedVars => {
rp => {
email => "mail",
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment