Add manager option to override SAML signature method (#2319)

6 years ago · 4d5de59735
parent be9be9d240
commit 4d5de59735
16 changed files with 119 additions and 5 deletions
--- a/lemonldap-ng-common/lib/Lemonldap/NG/Common/Conf/ReConstants.pm
+++ b/lemonldap-ng-common/lib/Lemonldap/NG/Common/Conf/ReConstants.pm
@ -28,8 +28,8 @@ our $casAppMetaDataNodeKeys = 'casAppMetaData(?:Options(?:(?:UserAttribut|Servic
 our $casSrvMetaDataNodeKeys = 'casSrvMetaData(?:Options(?:ProxiedServices|DisplayName|SortNumber|Gateway|Renew|Icon|Url)|ExportedVars)';
 our $oidcOPMetaDataNodeKeys = 'oidcOPMetaData(?:Options(?:C(?:lient(?:Secret|ID)|heckJWTSignature|onfigurationURI)|S(?:toreIDToken|ortNumber|cope)|TokenEndpointAuthMethod|(?:JWKSTimeou|Promp)t|I(?:DTokenMaxAge|con)|U(?:iLocales|seNonce)|Display(?:Name)?|AcrValues|MaxAge)|ExportedVars|J(?:SON|WKS))';
 our $oidcRPMetaDataNodeKeys = 'oidcRPMetaData(?:Options(?:A(?:uth(?:orizationCodeExpiration|nLevel)|llow(?:PasswordGrant|Offline)|ccessTokenExpiration|dditionalAudiences)|I(?:DToken(?:ForceClaims|Expiration|SignAlg)|con)|R(?:e(?:directUris|freshToken|quirePKCE)|ule)|Logout(?:SessionRequired|Type|Url)|P(?:ostLogoutRedirectUris|ublic)|OfflineSessionExpiration|Client(?:Secret|ID)|BypassConsent|DisplayName|ExtraClaims|UserIDAttr)|(?:ExportedVar|Macro)s)';
-our $samlIDPMetaDataNodeKeys = 'samlIDPMetaData(?:Options(?:(?:Check(?:S[LS]OMessageSignatur|Audienc|Tim)|EncryptionMod|UserAttribut|DisplayNam)e|S(?:ignS[LS]OMessage|toreSAMLToken|[LS]OBinding|ortNumber)|A(?:llow(?:LoginFromIDP|ProxiedAuthn)|daptSessionUtime)|Re(?:questedAuthnContext|solutionRule|layStateURL)|Force(?:Authn|UTF8)|I(?:sPassive|con)|NameIDFormat)|ExportedAttributes|XML)';
-our $samlSPMetaDataNodeKeys = 'samlSPMetaData(?:Options(?:N(?:ameID(?:SessionKey|Format)|otOnOrAfterTimeout)|S(?:essionNotOnOrAfterTimeout|ignS[LS]OMessage)|(?:CheckS[LS]OMessageSignatur|OneTimeUs|Rul)e|En(?:ableIDPInitiatedURL|cryptionMode)|AuthnLevel|ForceUTF8)|(?:ExportedAttribute|Macro)s|XML)';
+our $samlIDPMetaDataNodeKeys = 'samlIDPMetaData(?:Options(?:(?:Check(?:S[LS]OMessageSignatur|Audienc|Tim)|EncryptionMod|UserAttribut|DisplayNam)e|S(?:ign(?:S[LS]OMessage|atureMethod)|toreSAMLToken|[LS]OBinding|ortNumber)|A(?:llow(?:LoginFromIDP|ProxiedAuthn)|daptSessionUtime)|Re(?:questedAuthnContext|solutionRule|layStateURL)|Force(?:Authn|UTF8)|I(?:sPassive|con)|NameIDFormat)|ExportedAttributes|XML)';
+our $samlSPMetaDataNodeKeys = 'samlSPMetaData(?:Options(?:S(?:ign(?:S[LS]OMessage|atureMethod)|essionNotOnOrAfterTimeout)|N(?:ameID(?:SessionKey|Format)|otOnOrAfterTimeout)|(?:CheckS[LS]OMessageSignatur|OneTimeUs|Rul)e|En(?:ableIDPInitiatedURL|cryptionMode)|AuthnLevel|ForceUTF8)|(?:ExportedAttribute|Macro)s|XML)';
 our $virtualHostKeys = '(?:vhost(?:A(?:uthnLevel|liases)|(?:Maintenanc|Typ)e|ServiceTokenTTL|Https|Port)|(?:exportedHeader|locationRule)s|post)';

 our $authParameters = {
--- a/lemonldap-ng-manager/lib/Lemonldap/NG/Manager/Attributes.pm
+++ b/lemonldap-ng-manager/lib/Lemonldap/NG/Manager/Attributes.pm
@ -3211,6 +3211,23 @@ qr/(?:(?:https?):\/\/(?:(?:(?:(?:(?:(?:[a-zA-Z0-9][-a-zA-Z0-9]*)?[a-zA-Z0-9])[.]
            'default' => '',
            'type'    => 'longtext'
        },
+        'samlIDPMetaDataOptionsSignatureMethod' => {
+            'default' => '',
+            'select'  => [ {
+                    'k' => '',
+                    'v' => 'default'
+                },
+                {
+                    'k' => 'RSA_SHA1',
+                    'v' => 'RSA SHA1'
+                },
+                {
+                    'k' => 'RSA_SHA256',
+                    'v' => 'RSA SHA256'
+                }
+            ],
+            'type' => 'select'
+        },
        'samlIDPMetaDataOptionsSignSLOMessage' => {
            'default' => -1,
            'type'    => 'trool'
@ -3547,6 +3564,23 @@ qr/(?:(?:https?):\/\/(?:(?:(?:(?:(?:(?:[a-zA-Z0-9][-a-zA-Z0-9]*)?[a-zA-Z0-9])[.]
            'default' => 72000,
            'type'    => 'int'
        },
+        'samlSPMetaDataOptionsSignatureMethod' => {
+            'default' => '',
+            'select'  => [ {
+                    'k' => '',
+                    'v' => 'default'
+                },
+                {
+                    'k' => 'RSA_SHA1',
+                    'v' => 'RSA SHA1'
+                },
+                {
+                    'k' => 'RSA_SHA256',
+                    'v' => 'RSA SHA256'
+                }
+            ],
+            'type' => 'select'
+        },
        'samlSPMetaDataOptionsSignSLOMessage' => {
            'default' => -1,
            'type'    => 'trool'
--- a/lemonldap-ng-manager/lib/Lemonldap/NG/Manager/Build/Attributes.pm
+++ b/lemonldap-ng-manager/lib/Lemonldap/NG/Manager/Build/Attributes.pm
@ -2769,6 +2769,15 @@ sub attributes {
            type    => 'trool',
            default => -1,
        },
+        samlIDPMetaDataOptionsSignatureMethod => {
+            type   => 'select',
+            select => [
+                { k => '',           v => 'default' },
+                { k => 'RSA_SHA1',   v => 'RSA SHA1' },
+                { k => 'RSA_SHA256', v => 'RSA SHA256' },
+            ],
+            default => '',
+        },
        samlIDPMetaDataOptionsCheckSLOMessageSignature => {
            type    => 'bool',
            default => 1,
@ -2925,6 +2934,15 @@ sub attributes {
            type    => 'trool',
            default => -1,
        },
+        samlSPMetaDataOptionsSignatureMethod => {
+            type   => 'select',
+            select => [
+                { k => '',           v => 'default' },
+                { k => 'RSA_SHA1',   v => 'RSA SHA1' },
+                { k => 'RSA_SHA256', v => 'RSA SHA256' },
+            ],
+            default => '',
+        },
        samlSPMetaDataOptionsCheckSSOMessageSignature => {
            type    => 'bool',
            default => 1,
--- a/lemonldap-ng-manager/lib/Lemonldap/NG/Manager/Build/CTrees.pm
+++ b/lemonldap-ng-manager/lib/Lemonldap/NG/Manager/Build/CTrees.pm
@ -52,6 +52,7 @@ sub cTrees {
                title => "samlIDPMetaDataOptionsSignature",
                form  => 'simpleInputContainer',
                nodes => [
+                    "samlIDPMetaDataOptionsSignatureMethod",
                    "samlIDPMetaDataOptionsSignSSOMessage",
                    "samlIDPMetaDataOptionsCheckSSOMessageSignature",
                    "samlIDPMetaDataOptionsSignSLOMessage",
@ -122,10 +123,11 @@ sub cTrees {
                        title => "samlSPMetaDataOptionsSignature",
                        form  => 'simpleInputContainer',
                        nodes => [
+                            "samlSPMetaDataOptionsSignatureMethod",
                            "samlSPMetaDataOptionsSignSSOMessage",
                            "samlSPMetaDataOptionsCheckSSOMessageSignature",
                            "samlSPMetaDataOptionsSignSLOMessage",
-                            "samlSPMetaDataOptionsCheckSLOMessageSignature"
+                            "samlSPMetaDataOptionsCheckSLOMessageSignature",
                        ]
                    },
                    {
--- a/lemonldap-ng-manager/site/htdocs/static/js/conftree.js
+++ b/lemonldap-ng-manager/site/htdocs/static/js/conftree.js
@ -708,6 +708,27 @@ function templates(tpl,key) {
   },
   {
      "_nodes" : [
+         {
+            "default" : "",
+            "get" : tpl+"s/"+key+"/"+"samlIDPMetaDataOptionsSignatureMethod",
+            "id" : tpl+"s/"+key+"/"+"samlIDPMetaDataOptionsSignatureMethod",
+            "select" : [
+               {
+                  "k" : "",
+                  "v" : "default"
+               },
+               {
+                  "k" : "RSA_SHA1",
+                  "v" : "RSA SHA1"
+               },
+               {
+                  "k" : "RSA_SHA256",
+                  "v" : "RSA SHA256"
+               }
+            ],
+            "title" : "samlIDPMetaDataOptionsSignatureMethod",
+            "type" : "select"
+         },
         {
            "default" : -1,
            "get" : tpl+"s/"+key+"/"+"samlIDPMetaDataOptionsSignSSOMessage",
@ -1102,6 +1123,27 @@ function templates(tpl,key) {
         },
         {
            "_nodes" : [
+               {
+                  "default" : "",
+                  "get" : tpl+"s/"+key+"/"+"samlSPMetaDataOptionsSignatureMethod",
+                  "id" : tpl+"s/"+key+"/"+"samlSPMetaDataOptionsSignatureMethod",
+                  "select" : [
+                     {
+                        "k" : "",
+                        "v" : "default"
+                     },
+                     {
+                        "k" : "RSA_SHA1",
+                        "v" : "RSA SHA1"
+                     },
+                     {
+                        "k" : "RSA_SHA256",
+                        "v" : "RSA SHA256"
+                     }
+                  ],
+                  "title" : "samlSPMetaDataOptionsSignatureMethod",
+                  "type" : "select"
+               },
               {
                  "default" : -1,
                  "get" : tpl+"s/"+key+"/"+"samlSPMetaDataOptionsSignSSOMessage",
--- a/lemonldap-ng-manager/site/htdocs/static/js/conftree.min.js
+++ b/lemonldap-ng-manager/site/htdocs/static/js/conftree.min.js
--- a/lemonldap-ng-manager/site/htdocs/static/js/conftree.min.js.map
+++ b/lemonldap-ng-manager/site/htdocs/static/js/conftree.min.js.map
--- a/lemonldap-ng-manager/site/htdocs/static/languages/ar.json
+++ b/lemonldap-ng-manager/site/htdocs/static/languages/ar.json
@ -1061,6 +1061,7 @@
 "samlIDPMetaDataOptionsAuthnRequest":"طلب إثبات الهوية",
 "samlIDPMetaDataOptionsSession":"جلسة",
 "samlIDPMetaDataOptionsSignature":"توقيع",
+"samlIDPMetaDataOptionsSignatureMethod":"Signature method",
 "samlIDPMetaDataOptionsBinding":"ربط",
 "samlIDPMetaDataOptionsDisplay":"عرض",
 "samlIDPMetaDataOptionsDisplayName":"عرض الاسم",
@ -1084,6 +1085,7 @@
 "samlSPMetaDataOptionsEncryptionMode":"أسلوب التشفير",
 "samlSPMetaDataOptionsAuthnResponse":"رد إثبات الهوية",
 "samlSPMetaDataOptionsSignature":"توقيع",
+"samlSPMetaDataOptionsSignatureMethod":"Signature method",
 "samlSPMetaDataOptionsSecurity":"الحماية",
 "samlSPMetaDataOptionsEnableIDPInitiatedURL":"تمكين استخدام عنوان يو آر إل  IDP ",
 "samlSPMetaDataOptionsNameIDSessionKey":"فرض اسم المعرف لمفتاح الجلسة",
--- a/lemonldap-ng-manager/site/htdocs/static/languages/de.json
+++ b/lemonldap-ng-manager/site/htdocs/static/languages/de.json
@ -1061,6 +1061,7 @@
 "samlIDPMetaDataOptionsAuthnRequest":"Authentication request",
 "samlIDPMetaDataOptionsSession":"Session",
 "samlIDPMetaDataOptionsSignature":"Signature",
+"samlIDPMetaDataOptionsSignatureMethod":"Signature method",
 "samlIDPMetaDataOptionsBinding":"Binding",
 "samlIDPMetaDataOptionsDisplay":"Display",
 "samlIDPMetaDataOptionsDisplayName":"Display name",
@ -1084,6 +1085,7 @@
 "samlSPMetaDataOptionsEncryptionMode":"Encryption mode",
 "samlSPMetaDataOptionsAuthnResponse":"Authentication response",
 "samlSPMetaDataOptionsSignature":"Signature",
+"samlSPMetaDataOptionsSignatureMethod":"Signature method",
 "samlSPMetaDataOptionsSecurity":"Security",
 "samlSPMetaDataOptionsEnableIDPInitiatedURL":"Enable use of IDP initiated URL",
 "samlSPMetaDataOptionsNameIDSessionKey":"Force NameID session key",
--- a/lemonldap-ng-manager/site/htdocs/static/languages/en.json
+++ b/lemonldap-ng-manager/site/htdocs/static/languages/en.json
@ -1061,6 +1061,7 @@
 "samlIDPMetaDataOptionsAuthnRequest":"Authentication request",
 "samlIDPMetaDataOptionsSession":"Session",
 "samlIDPMetaDataOptionsSignature":"Signature",
+"samlIDPMetaDataOptionsSignatureMethod":"Signature method",
 "samlIDPMetaDataOptionsBinding":"Binding",
 "samlIDPMetaDataOptionsDisplay":"Display",
 "samlIDPMetaDataOptionsDisplayName":"Display name",
@ -1084,6 +1085,7 @@
 "samlSPMetaDataOptionsEncryptionMode":"Encryption mode",
 "samlSPMetaDataOptionsAuthnResponse":"Authentication response",
 "samlSPMetaDataOptionsSignature":"Signature",
+"samlSPMetaDataOptionsSignatureMethod":"Signature method",
 "samlSPMetaDataOptionsSecurity":"Security",
 "samlSPMetaDataOptionsEnableIDPInitiatedURL":"Enable use of IDP initiated URL",
 "samlSPMetaDataOptionsNameIDSessionKey":"Force NameID session key",
--- a/lemonldap-ng-manager/site/htdocs/static/languages/fr.json
+++ b/lemonldap-ng-manager/site/htdocs/static/languages/fr.json
@ -1061,6 +1061,7 @@
 "samlIDPMetaDataOptionsAuthnRequest":"Requête d'authentification",
 "samlIDPMetaDataOptionsSession":"Session",
 "samlIDPMetaDataOptionsSignature":"Signature",
+"samlIDPMetaDataOptionsSignatureMethod":"Méthode pour la signature",
 "samlIDPMetaDataOptionsBinding":"Méthode",
 "samlIDPMetaDataOptionsDisplay":"Affichage",
 "samlIDPMetaDataOptionsDisplayName":"Nom d'affichage",
@ -1084,6 +1085,7 @@
 "samlSPMetaDataOptionsEncryptionMode":"Mode de chiffrement",
 "samlSPMetaDataOptionsAuthnResponse":"Réponse d'authentification",
 "samlSPMetaDataOptionsSignature":"Signature",
+"samlSPMetaDataOptionsSignatureMethod":"Méthode pour la signature",
 "samlSPMetaDataOptionsSecurity":"Sécurité",
 "samlSPMetaDataOptionsEnableIDPInitiatedURL":"Autoriser l'utilisation d'URL SSO initié par l'IDP",
 "samlSPMetaDataOptionsNameIDSessionKey":"Forcer la clef de session NameID",
--- a/lemonldap-ng-manager/site/htdocs/static/languages/it.json
+++ b/lemonldap-ng-manager/site/htdocs/static/languages/it.json
@ -1061,6 +1061,7 @@
 "samlIDPMetaDataOptionsAuthnRequest":"Richiesta di autenticazione",
 "samlIDPMetaDataOptionsSession":"Sessioni",
 "samlIDPMetaDataOptionsSignature":"Firma",
+"samlIDPMetaDataOptionsSignatureMethod":"Metodo di firma",
 "samlIDPMetaDataOptionsBinding":"Vincolante",
 "samlIDPMetaDataOptionsDisplay":" Visualizza  ",
 "samlIDPMetaDataOptionsDisplayName":"Nome da visualizzare",
@ -1084,6 +1085,7 @@
 "samlSPMetaDataOptionsEncryptionMode":"Modalità di crittografia",
 "samlSPMetaDataOptionsAuthnResponse":"Risposta di autenticazione",
 "samlSPMetaDataOptionsSignature":"Firma",
+"samlSPMetaDataOptionsSignatureMethod":"Metodo di firma",
 "samlSPMetaDataOptionsSecurity":"Sicurezza",
 "samlSPMetaDataOptionsEnableIDPInitiatedURL":"Abilitare l'utilizzo dell'URL IDP avviata ",
 "samlSPMetaDataOptionsNameIDSessionKey":"Forza la chiave di sessione NameID",
--- a/lemonldap-ng-manager/site/htdocs/static/languages/pl.json
+++ b/lemonldap-ng-manager/site/htdocs/static/languages/pl.json
@ -1061,6 +1061,7 @@
 "samlIDPMetaDataOptionsAuthnRequest":"Żądanie uwierzytelnienia",
 "samlIDPMetaDataOptionsSession":"Sesja",
 "samlIDPMetaDataOptionsSignature":"Podpis",
+"samlIDPMetaDataOptionsSignatureMethod":"Metoda podpisu",
 "samlIDPMetaDataOptionsBinding":"Przywiązania",
 "samlIDPMetaDataOptionsDisplay":"Wyświetl",
 "samlIDPMetaDataOptionsDisplayName":"Wyświetlana nazwa",
@ -1084,6 +1085,7 @@
 "samlSPMetaDataOptionsEncryptionMode":"Tryb szyfrowania",
 "samlSPMetaDataOptionsAuthnResponse":"Odpowiedź uwierzytelnienia",
 "samlSPMetaDataOptionsSignature":"Podpis",
+"samlSPMetaDataOptionsSignatureMethod":"Metoda podpisu",
 "samlSPMetaDataOptionsSecurity":"Bezpieczeństwo",
 "samlSPMetaDataOptionsEnableIDPInitiatedURL":"Włącz korzystanie z adresu URL zainicjowanego przez IDP",
 "samlSPMetaDataOptionsNameIDSessionKey":"Wymuś klucz sesji NameID",
--- a/lemonldap-ng-manager/site/htdocs/static/languages/tr.json
+++ b/lemonldap-ng-manager/site/htdocs/static/languages/tr.json
@ -1061,6 +1061,7 @@
 "samlIDPMetaDataOptionsAuthnRequest":"Doğrulama isteği",
 "samlIDPMetaDataOptionsSession":"Oturum",
 "samlIDPMetaDataOptionsSignature":"İmza",
+"samlIDPMetaDataOptionsSignatureMethod":"İmzalama yöntemi",
 "samlIDPMetaDataOptionsBinding":"Bağlayıcı",
 "samlIDPMetaDataOptionsDisplay":"Görüntüle",
 "samlIDPMetaDataOptionsDisplayName":"Görüntülenen ad",
@ -1084,6 +1085,7 @@
 "samlSPMetaDataOptionsEncryptionMode":"Şifreleme modu",
 "samlSPMetaDataOptionsAuthnResponse":"Doğrulama cevabı",
 "samlSPMetaDataOptionsSignature":"İmza",
+"samlSPMetaDataOptionsSignatureMethod":"İmzalama yöntemi",
 "samlSPMetaDataOptionsSecurity":"Güvenlik",
 "samlSPMetaDataOptionsEnableIDPInitiatedURL":"IDP ile başlatılan URL’nin kullanımını etkinleştir",
 "samlSPMetaDataOptionsNameIDSessionKey":"NameID oturum anahtarını zorla",
--- a/lemonldap-ng-manager/site/htdocs/static/languages/vi.json
+++ b/lemonldap-ng-manager/site/htdocs/static/languages/vi.json
@ -1061,6 +1061,7 @@
 "samlIDPMetaDataOptionsAuthnRequest":"Yêu cầu xác thực",
 "samlIDPMetaDataOptionsSession":"Phiên",
 "samlIDPMetaDataOptionsSignature":"Chữ ký",
+"samlIDPMetaDataOptionsSignatureMethod":"Signature method",
 "samlIDPMetaDataOptionsBinding":"Liên kết",
 "samlIDPMetaDataOptionsDisplay":"Hiển thị",
 "samlIDPMetaDataOptionsDisplayName":"Tên hiển thị",
@ -1084,6 +1085,7 @@
 "samlSPMetaDataOptionsEncryptionMode":"Chế độ mã hóa",
 "samlSPMetaDataOptionsAuthnResponse":"Phản hồi xác thực",
 "samlSPMetaDataOptionsSignature":"Chữ ký",
+"samlSPMetaDataOptionsSignatureMethod":"Signature method",
 "samlSPMetaDataOptionsSecurity":"Bảo mật",
 "samlSPMetaDataOptionsEnableIDPInitiatedURL":"Cho phép sử dụng URL bắt đầu IDP",
 "samlSPMetaDataOptionsNameIDSessionKey":"Bắt buộc khóa phiên NameID",
--- a/lemonldap-ng-manager/site/htdocs/static/languages/zh.json
+++ b/lemonldap-ng-manager/site/htdocs/static/languages/zh.json
@ -1061,6 +1061,7 @@
 "samlIDPMetaDataOptionsAuthnRequest":"Authentication request",
 "samlIDPMetaDataOptionsSession":"Session",
 "samlIDPMetaDataOptionsSignature":"Signature",
+"samlIDPMetaDataOptionsSignatureMethod":"Signature method",
 "samlIDPMetaDataOptionsBinding":"Binding",
 "samlIDPMetaDataOptionsDisplay":"Display",
 "samlIDPMetaDataOptionsDisplayName":"Display name",
@ -1084,6 +1085,7 @@
 "samlSPMetaDataOptionsEncryptionMode":"Encryption mode",
 "samlSPMetaDataOptionsAuthnResponse":"Authentication response",
 "samlSPMetaDataOptionsSignature":"Signature",
+"samlSPMetaDataOptionsSignatureMethod":"Signature method",
 "samlSPMetaDataOptionsSecurity":"Security",
 "samlSPMetaDataOptionsEnableIDPInitiatedURL":"Enable use of IDP initiated URL",
 "samlSPMetaDataOptionsNameIDSessionKey":"Force NameID session key",