Commit 5055b180 authored by Christophe Maudoux's avatar Christophe Maudoux

Restore OIDC activation global rule (#1625) & Improve unit test

parent b36db970
...@@ -12,6 +12,7 @@ use Lemonldap::NG::Portal::Main::Constants qw( ...@@ -12,6 +12,7 @@ use Lemonldap::NG::Portal::Main::Constants qw(
PE_REDIRECT PE_REDIRECT
PE_OK PE_OK
PE_UNAUTHORIZEDPARTNER PE_UNAUTHORIZEDPARTNER
PE_OIDC_SERVICE_NOT_ALLOWED
); );
our $VERSION = '2.0.1'; our $VERSION = '2.0.1';
...@@ -28,6 +29,7 @@ sub beforeAuth { 'exportRequestParameters' } ...@@ -28,6 +29,7 @@ sub beforeAuth { 'exportRequestParameters' }
use constant sessionKind => 'OIDCI'; use constant sessionKind => 'OIDCI';
has rule => ( is => 'rw', default => sub { {} } );
has configStorage => ( has configStorage => (
is => 'ro', is => 'ro',
lazy => 1, lazy => 1,
...@@ -35,7 +37,6 @@ has configStorage => ( ...@@ -35,7 +37,6 @@ has configStorage => (
$_[0]->{p}->HANDLER->localConfig->{configStorage}; $_[0]->{p}->HANDLER->localConfig->{configStorage};
} }
); );
has ssoMatchUrl => ( is => 'rw' ); has ssoMatchUrl => ( is => 'rw' );
# OIDC has 7 endpoints managed here as PSGI endpoints or in run() [Main/Issuer.pm # OIDC has 7 endpoints managed here as PSGI endpoints or in run() [Main/Issuer.pm
...@@ -56,6 +57,17 @@ has ssoMatchUrl => ( is => 'rw' ); ...@@ -56,6 +57,17 @@ has ssoMatchUrl => ( is => 'rw' );
sub init { sub init {
my ($self) = @_; my ($self) = @_;
# Parse activation rule
my $hd = $self->p->HANDLER;
$self->logger->debug( "OIDC rule -> " . $self->conf->{issuerDBOpenIDConnectRule} );
my $rule
= $hd->buildSub( $hd->substitute( $self->conf->{issuerDBOpenIDConnectRule} ) );
unless ($rule) {
$self->error( "Bad OIDC rule -> " . $hd->tsv->{jail}->error );
return 0;
}
$self->{rule} = $rule;
# Initialize RP list # Initialize RP list
return 0 return 0
unless ( $self->Lemonldap::NG::Portal::Main::Issuer::init() unless ( $self->Lemonldap::NG::Portal::Main::Issuer::init()
...@@ -113,6 +125,13 @@ sub ssoMatch { ...@@ -113,6 +125,13 @@ sub ssoMatch {
# run() manages only "authorize" and "logout" endpoints. # run() manages only "authorize" and "logout" endpoints.
sub run { sub run {
my ( $self, $req, $path ) = @_; my ( $self, $req, $path ) = @_;
# Check activation rule
unless ( $self->rule->( $req, $req->sessionInfo ) ) {
$self->userLogger->error('OIDC service not authorized');
return PE_OIDC_SERVICE_NOT_ALLOWED;
}
if ($path) { if ($path) {
# Convert old format OIDC Consents # Convert old format OIDC Consents
......
...@@ -137,7 +137,8 @@ sub op { ...@@ -137,7 +137,8 @@ sub op {
portal => 'http://auth.op.com', portal => 'http://auth.op.com',
authentication => 'Demo', authentication => 'Demo',
userDB => 'Same', userDB => 'Same',
issuerDBOpenIDConnectActivation => "1", issuerDBOpenIDConnectActivation => 1,
issuerDBOpenIDConnectRule => '$uid eq "french"',
oidcRPMetaDataExportedVars => { oidcRPMetaDataExportedVars => {
rp => { rp => {
email => "mail", email => "mail",
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment