Commit e028088f authored by Maxime Besson's avatar Maxime Besson

Add the ability to detect HTTPS from web server env

This commit adds a new "Default" option for the global HTTPS setting. In
this mode, the handler will refer to the HTTPS env variable to know if it's
being accessed over HTTPS or not. An administrator is of course still
free to force HTTPS by setting it either globally or per-VHost
parent 622df5b5
......@@ -66,6 +66,7 @@ sub defaultValues {
'handlerInternalCache' => 15,
'hiddenAttributes' => '_password',
'httpOnly' => 1,
'https' => -1,
'infoFormMethod' => 'get',
'issuerDBCASPath' => '^/cas/',
'issuerDBCASRule' => 1,
......@@ -173,6 +174,7 @@ sub defaultValues {
'pamService' => 'login',
'passwordDB' => 'Demo',
'passwordResetAllowedRetries' => 3,
'port' => -1,
'portal' => 'http://auth.example.com/',
'portalAntiFrame' => 1,
'portalCheckLogins' => 1,
......
......@@ -204,7 +204,6 @@ sub defaultValuesInit {
$class->tsv->{cipher} = Lemonldap::NG::Common::Crypto->new( $conf->{key} );
foreach my $opt (qw(https port maintenance)) {
next unless defined $conf->{$opt};
# Record default value in key '_'
$class->tsv->{$opt} = { _ => $conf->{$opt} };
......@@ -216,7 +215,7 @@ sub defaultValuesInit {
$conf->{vhostOptions}->{$vhost} ||= {};
my $val = $conf->{vhostOptions}->{$vhost}->{$name};
# Keep default value if $val is negative
# Keep global value if $val is negative
if ( defined $val and $val >= 0 ) {
$class->logger->debug(
"Options $opt for vhost $vhost: $val");
......
......@@ -402,12 +402,8 @@ sub fetchId {
my ( $class, $req ) = @_;
my $t = $req->{env}->{HTTP_COOKIE} or return 0;
my $vhost = $class->resolveAlias($req);
my $lookForHttpCookie = (
$class->tsv->{securedCookie} =~ /^(2|3)$/
and !( defined( $class->tsv->{https}->{$vhost} ) )
? $class->tsv->{https}->{$vhost}
: $class->tsv->{https}->{_}
);
my $lookForHttpCookie = ( $class->tsv->{securedCookie} =~ /^(2|3)$/
and not $class->_isHttps( $req, $vhost ) );
my $cn = $class->tsv->{cookieName};
my $value
= $lookForHttpCookie
......@@ -535,23 +531,67 @@ sub retrieveSession {
}
}
## @cmethod private int _getPort(string s)
# Returns the port on which this vhost is accessed
# @param $s VHost name
# @return PORT
sub _getPort {
my ( $class, $req, $vhost ) = @_;
if ( defined $class->tsv->{port}->{$vhost}
and ( $class->tsv->{port}->{$vhost} > 0 ) )
{
return $class->tsv->{port}->{$vhost};
}
else {
if ( defined $class->tsv->{port}->{_}
and ( $class->tsv->{port}->{_} > 0 ) )
{
return $class->tsv->{port}->{_};
}
else {
return $req->{env}->{SERVER_PORT};
}
}
}
## @cmethod private boot _isHttps(string s)
# Returns whether this VHost should he accessed
# via HTTPS
# @param $s VHost name
# @return RUE if the vhost should be accessed over HTTPS
sub _isHttps {
my ( $class, $req, $vhost ) = @_;
if ( defined $class->tsv->{https}->{$vhost}
and ( $class->tsv->{https}->{$vhost} > -1 ) )
{
return $class->tsv->{https}->{$vhost};
}
else {
if ( defined $class->tsv->{https}->{_}
and ( $class->tsv->{https}->{_} > -1 ) )
{
return $class->tsv->{https}->{_};
}
else {
return ( uc( $req->{env}->{HTTPS} ) eq "ON" );
}
}
}
## @cmethod private string _buildUrl(string s)
# Transform /<s> into http(s?)://<host>:<port>/s
# @param $s path
# @return URL
sub _buildUrl {
my ( $class, $req, $s ) = @_;
my $realvhost = $req->{env}->{HTTP_HOST};
my $vhost = $class->resolveAlias($req);
my $_https = (
defined( $class->tsv->{https}->{$vhost} )
? $class->tsv->{https}->{$vhost}
: $class->tsv->{https}->{_}
);
my $portString
= $class->tsv->{port}->{$vhost}
|| $class->tsv->{port}->{_}
|| $req->{env}->{SERVER_PORT};
my $realvhost = $req->{env}->{HTTP_HOST};
my $vhost = $class->resolveAlias($req);
my $_https = $class->_isHttps( $req, $vhost );
my $portString = $class->_getPort( $req, $vhost );
$portString = (
( $realvhost =~ /:\d+/ )
or ( $_https && $portString == 443 )
......
......@@ -1180,8 +1180,8 @@ qr/^(?:\*\.)?(?:(?:(?:(?:[a-zA-Z0-9][-a-zA-Z0-9]*)?[a-zA-Z0-9])[.])*(?:[a-zA-Z][
'type' => 'bool'
},
'https' => {
'default' => 0,
'type' => 'bool'
'default' => -1,
'type' => 'trool'
},
'infoFormMethod' => {
'default' => 'get',
......@@ -2155,7 +2155,8 @@ qr/^(?:\*\.)?(?:(?:(?:(?:[a-zA-Z0-9][-a-zA-Z0-9]*)?[a-zA-Z0-9])[.])*(?:[a-zA-Z][
'type' => 'keyTextContainer'
},
'port' => {
'type' => 'int'
'default' => -1,
'type' => 'int'
},
'portal' => {
'default' => 'http://auth.example.com/',
......
......@@ -293,8 +293,8 @@ sub attributes {
flags => 'hmp',
},
https => {
default => 0,
type => 'bool',
default => -1,
type => 'trool',
documentation => 'Use HTTPS for redirection from portal',
flags => 'h',
},
......@@ -306,6 +306,7 @@ sub attributes {
documentation => 'HTTP method for info page form',
},
port => {
default => -1,
type => 'int',
documentation => 'Force port in redirection',
flags => 'h',
......
This source diff could not be displayed because it is too large. You can view the blob instead.
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment