Commit dba550b6 authored by Christophe Maudoux's avatar Christophe Maudoux

Fix SSL/Kerberos Auth with Choice (#1636)

parent 7fb6923f
......@@ -32,6 +32,11 @@ sub extractFormInfo {
'Append ' . $mod->Name . ' init/script' );
$req->data->{customScript} .= $mod->AjaxInitScript;
}
if ( $mod->{InitCmd} ) {
eval( $mod->{InitCmd} );
die 'Unable to launch init commmand ' . $mod->{InitCmd}
if ($@);
}
}
foreach my $mod ( values %{ $self->modules } ) {
if ( $mod->can('setSecurity') ) {
......@@ -40,7 +45,8 @@ sub extractFormInfo {
}
}
$self->logger->debug(
"Send init/script -> " . $req->data->{customScript} );
"Send init/script -> " . $req->data->{customScript} )
if $req->data->{customScript};
return PE_FIRSTACCESS;
}
my $res = $req->data->{enabledMods0}->[0]->extractFormInfo($req);
......
......@@ -5,18 +5,24 @@ use Mouse;
use GSSAPI;
use MIME::Base64;
use Lemonldap::NG::Portal::Main::Constants qw(
PE_BADCREDENTIALS
PE_ERROR
PE_FIRSTACCESS
PE_OK
PE_SENDRESPONSE
PE_BADCREDENTIALS
PE_ERROR
PE_FIRSTACCESS
PE_OK
PE_SENDRESPONSE
);
our $VERSION = '2.0.0';
extends 'Lemonldap::NG::Portal::Main::Auth';
has keytab => ( is => 'rw' );
has keytab => ( is => 'rw' );
has AjaxInitScript => ( is => 'rw', default => '' );
has Name => ( is => 'ro', default => 'Kerberos' );
has InitCmd => (
is => 'ro',
default => q@$self->p->setHiddenFormValue( $req, kerberos => 0, '', 0 )@
);
# INITIALIZATION
......@@ -28,6 +34,10 @@ sub init {
return 0;
}
$self->keytab("FILE:$file");
$self->AjaxInitScript( '<script type="text/javascript" src="'
. $self->p->staticPrefix
. '/common/js/kerberos.js"></script>' )
if $self->conf->{krbByJs};
return 1;
}
......@@ -35,8 +45,8 @@ sub extractFormInfo {
my ( $self, $req ) = @_;
if ( $req->data->{_krbUser} ) {
$self->logger->debug(
'Kerberos ticket already validated for ' . $req->data->{_krbUser} );
$self->logger->debug( 'Kerberos ticket already validated for '
. $req->data->{_krbUser} );
return PE_OK;
}
......@@ -51,10 +61,8 @@ sub extractFormInfo {
# Case 1.1: Ajax request
if ( $req->wantJSON ) {
$req->response(
[
401,
[
'WWW-Authenticate' => 'Negotiate',
[ 401,
[ 'WWW-Authenticate' => 'Negotiate',
'Content-Type' => 'application/json',
'Content-Length' => 35
],
......@@ -67,7 +75,8 @@ sub extractFormInfo {
# dialog
else {
$req->error(PE_BADCREDENTIALS);
push @{ $req->respHeaders }, 'WWW-Authenticate' => 'Negotiate';
push @{ $req->respHeaders },
'WWW-Authenticate' => 'Negotiate';
my ( $tpl, $prms ) = $self->p->display($req);
$req->response(
$self->p->sendHtml(
......@@ -80,10 +89,10 @@ sub extractFormInfo {
return PE_SENDRESPONSE;
}
# Case 2: Ajax Kerberos request has failed, and javascript has reloaded
# page with "kerberos=0". Return an error to be able to switch to
# another backend (Combination)
# switch to another backend
# Case 2: Ajax Kerberos request has failed, and javascript has reloaded
# page with "kerberos=0". Return an error to be able to switch to
# another backend (Combination)
# switch to another backend
elsif ( defined $req->param('kerberos') ) {
$self->userLogger->warn(
'Kerberos authentication has failed, back to portal');
......@@ -93,12 +102,12 @@ sub extractFormInfo {
# Case 3: Display kerberos auth page (with javascript)
else {
$self->logger->debug('Send Kerberos javascript');
$req->data->{customScript} .=
'<script type="text/javascript" src="'
. $self->p->staticPrefix
. '/common/js/kerberos.js"></script>';
$self->p->setHiddenFormValue( $req, kerberos => 0, '', 0 );
$self->logger->debug( 'Append ' . $self->Name . ' init/script' );
$req->data->{customScript} .= $self->AjaxInitScript;
$self->logger->debug(
"Send init/script -> " . $req->data->{customScript} );
#$self->p->setHiddenFormValue( $req, kerberos => 0, '', 0 );
eval ( $self->InitCmd );
return PE_FIRSTACCESS;
}
}
......
......@@ -6,7 +6,7 @@ BEGIN {
eval "use GSSAPI";
}
my $maintests = 8;
my $maintests = 9;
my $debug = 'error';
SKIP: {
......@@ -15,8 +15,7 @@ SKIP: {
skip 'GSSAPI not found', $maintests;
}
my $client = LLNG::Manager::Test->new(
{
ini => {
{ ini => {
logLevel => $debug,
useSafeJail => 1,
authentication => 'Kerberos',
......@@ -30,11 +29,10 @@ SKIP: {
ok( $res->[0] == 401, 'Get 401' ) or explain( $res->[0], 401 );
ok( getHeader( $res, 'WWW-Authenticate' ) eq 'Negotiate',
'Get negotiate header' )
or explain( $res->[1], 'WWW-Authenticate => Negotiate' );
or explain( $res->[1], 'WWW-Authenticate => Negotiate' );
&Lemonldap::NG::Handler::Main::cfgNum( 0, 0 );
$client = LLNG::Manager::Test->new(
{
ini => {
{ ini => {
logLevel => $debug,
useSafeJail => 1,
authentication => 'Kerberos',
......@@ -48,13 +46,14 @@ SKIP: {
ok( $res = $client->_get( '/', accept => 'text/html' ),
'First access with JS' );
# Disabled for now
#expectForm( $res, '#', undef, 'kerberos' );
expectForm($res);
ok( $res->[2]->[0] =~ /kerberos\.(?:min\.)?js/, 'Get Kerberos javascript' );
ok(
$res = $client->_get(
expectForm( $res, '#', undef, 'kerberos' );
ok( $res->[2]->[0]
=~ m%<input type="hidden" name="kerberos" id="kerberos" value="0" />%,
'Found hidden attribut "kerberos" with value="0"'
) or print STDERR Dumper( $res->[2]->[0] );
ok( $res->[2]->[0] =~ /kerberos\.(?:min\.)?js/,
'Get Kerberos javascript' );
ok( $res = $client->_get(
'/',
query => 'kerberos=1',
accept => 'application/json'
......@@ -63,8 +62,7 @@ SKIP: {
);
ok( $res->[0] == 401, 'Get 401' ) or explain( $res->[0], 401 );
ok(
$res = $client->_get(
ok( $res = $client->_get(
'/',
query => 'kerberos=1',
accept => 'application/json',
......
......@@ -5,7 +5,7 @@ use IO::String;
require 't/test-lib.pm';
my $res;
my $maintests = 13;
my $maintests = 17;
eval { unlink 't/userdb.db' };
......@@ -37,6 +37,7 @@ SKIP: {
'Demo;Demo;Null;https://test.example.com;$env->{ipAddr} =~ /1.2.3.4/',
'5_ssl' => 'SSL;Demo;Demo',
'6_FakeCustom' => 'Custom;Demo;Demo',
'7_Kerberos' => 'Kerberos;Null;Null',
},
dbiAuthChain => 'dbi:SQLite:dbname=t/userdb.db',
......@@ -49,7 +50,10 @@ SKIP: {
customAuth => '::Auth::Apache',
customAddParams => {},
sslByAjax => 1,
sslHost => 'https://authssl.example.com:19876'
sslHost => 'https://authssl.example.com:19876',
krbKeytab => '/etc/keytab',
krbByJs => 1,
krbAuthnLevel => 4,
}
}
);
......@@ -59,11 +63,15 @@ SKIP: {
ok( $res->[2]->[0] =~ /3_demo/, '3_demo displayed' );
ok( $res->[2]->[0] =~ /5_ssl/, '5_ssl displayed' );
ok( $res->[2]->[0] =~ /6_FakeCustom/, '6_FakeCustom displayed' );
ok( $res->[2]->[0] =~ /7_Kerberos/, '7_Kerberos displayed' );
ok( $res->[2]->[0] =~ qr%<img src="/static/common/modules/SSL.png"%,
'Found 5_ssl Logo' )
or print STDERR Dumper( $res->[2]->[0] );
ok( $res->[2]->[0] =~ qr%img src="/static/common/modules/Apache.png"%,
'Found 6_FakeCustom Logo' )
or print STDERR Dumper( $res->[2]->[0] );
ok( $res->[2]->[0] =~ qr%<img src="/static/common/modules/SSL.png"%,
'Found 5_ssl Logo' )
ok( $res->[2]->[0] =~ qr%<img src="/static/common/modules/Kerberos.png"%,
'Found 7_Kerberos Logo' )
or print STDERR Dumper( $res->[2]->[0] );
ok( $res->[2]->[0] =~ m%<form id="lformDemo" action="https://test.example.com"%,
' Redirect URL found' )
......@@ -71,6 +79,13 @@ SKIP: {
ok( $res->[2]->[0] =~ m%<script type="application/init">\{"sslHost":"https://authssl.example.com:19876"\}</script>%,
' SSL AJAX URL found' )
or print STDERR Dumper( $res->[2]->[0] );
expectForm( $res, '#', undef, 'kerberos' );
ok( $res->[2]->[0]
=~ m%<input type="hidden" name="kerberos" id="kerberos" value="0" />%,
'Found hidden attribut "kerberos" with value="0"'
) or print STDERR Dumper( $res->[2]->[0] );
ok( $res->[2]->[0] =~ /kerberos\.(?:min\.)?js/, 'Get Kerberos javascript' )
or print STDERR Dumper( $res->[2]->[0] );
my $header = getHeader( $res, 'Content-Security-Policy' );
ok( $header =~ m%;form-action \'self\' https://test.example.com;%,
' CSP URL found' )
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment