Add Ajax to SSL (closes #1212)

8 years ago · a83a707931
parent abd9983a21
commit a83a707931
18 changed files with 138 additions and 20 deletions
--- a/lemonldap-ng-common/lib/Lemonldap/NG/Common/Conf/ReConstants.pm
+++ b/lemonldap-ng-common/lib/Lemonldap/NG/Common/Conf/ReConstants.pm
@ -49,7 +49,7 @@ our $authParameters = {
  remoteParams => [qw(remotePortal remoteCookieName remoteGlobalStorage remoteGlobalStorageOptions)],
  restParams => [qw(restAuthUrl restUserDBUrl restPwdConfirmUrl restPwdModifyUrl)],
  slaveParams => [qw(slaveAuthnLevel slaveExportedVars slaveUserHeader slaveMasterIP slaveHeaderName slaveHeaderContent)],
-  sslParams => [qw(SSLAuthnLevel SSLVar SSLVarIf)],
+  sslParams => [qw(SSLAuthnLevel SSLVar SSLVarIf sslByAjax sslHost)],
  twitterParams => [qw(twitterAuthnLevel twitterKey twitterSecret twitterAppName)],
  webidParams => [qw(webIDAuthnLevel webIDExportedVars webIDWhitelist)],
  yubikeyParams => [qw(yubikeyAuthnLevel yubikeyClientID yubikeySecretKey yubikeyPublicIDSize)],
--- a/lemonldap-ng-manager/lib/Lemonldap/NG/Manager/Attributes.pm
+++ b/lemonldap-ng-manager/lib/Lemonldap/NG/Manager/Attributes.pm
@ -2951,6 +2951,12 @@ qr/^(?:(?:(?:(?:(?:(?:[a-zA-Z0-9][-a-zA-Z0-9]*)?[a-zA-Z0-9])[.])*(?:[a-zA-Z][-a-
            'default' => 5,
            'type'    => 'int'
        },
+        'sslByAjax' => {
+            'type' => 'bool'
+        },
+        'sslHost' => {
+            'type' => 'url'
+        },
        'SSLVar' => {
            'type' => 'text'
        },
--- a/lemonldap-ng-manager/lib/Lemonldap/NG/Manager/Build/Attributes.pm
+++ b/lemonldap-ng-manager/lib/Lemonldap/NG/Manager/Build/Attributes.pm
@ -2040,8 +2040,16 @@ m{^(?:ldapi://[^/]*/?|\w[\w\-\.]*(?::\d{1,5})?|ldap(?:s|\+tls)?://\w[\w\-\.]*(?:
            default       => 5,
            documentation => 'SSL authentication level',
        },
-        SSLVar   => { type => 'text', },
-        SSLVarIf => { type => 'keyTextContainer', },
+        SSLVar    => { type => 'text', },
+        SSLVarIf  => { type => 'keyTextContainer', },
+        sslByAjax => {
+            type          => 'bool',
+            documentation => 'Use Ajax request for SSL',
+        },
+        sslHost => {
+            type          => 'url',
+            documentation => 'URL for SSL Ajax request',
+        },

        # CAS
        CAS_authnLevel => {
--- a/lemonldap-ng-manager/lib/Lemonldap/NG/Manager/Build/Tree.pm
+++ b/lemonldap-ng-manager/lib/Lemonldap/NG/Manager/Build/Tree.pm
@ -339,7 +339,11 @@ sub tree {
                            title => 'sslParams',
                            help  => 'authssl.html',
                            form  => 'simpleInputContainer',
-                            nodes => [ 'SSLAuthnLevel', 'SSLVar', 'SSLVarIf' ]
+                            nodes => [
+                                'SSLAuthnLevel', 'SSLVar',
+                                'SSLVarIf',      'sslByAjax',
+                                'sslHost',
+                            ]
                        },
                        {
                            title => 'twitterParams',
--- a/lemonldap-ng-manager/site/htdocs/static/languages/en.json
+++ b/lemonldap-ng-manager/site/htdocs/static/languages/en.json
@ -645,6 +645,8 @@
 "soapSessionServer": "SOAP session server",
 "specialRule": "Special rule",
 "SSLAuthnLevel": "Authentication level",
+"sslByAjax": "Use Ajax request",
+"sslHost": "Ajax SSL URL",
 "sslParams": "SSL parameters",
 "SSLVar": "Extracted certificate field",
 "SSLVarIf": "Conditional extracted certificate field",
--- a/lemonldap-ng-manager/site/htdocs/static/languages/fr.json
+++ b/lemonldap-ng-manager/site/htdocs/static/languages/fr.json
@ -645,6 +645,8 @@
 "soapSessionServer": "Serveur de sessions SOAP",
 "specialRule": "Règle spécifique",
 "SSLAuthnLevel": "Niveau d'authentification",
+"sslByAjax": "Utiliser une requête Ajax",
+"sslHost": "URL SSL pour Ajax",
 "sslParams": "Paramètres SSL",
 "SSLVar": "Champ extrait du certificat",
 "SSLVarIf": "Champ conditionnel extrait du certificat",
--- a/lemonldap-ng-manager/site/htdocs/static/reverseTree.json
+++ b/lemonldap-ng-manager/site/htdocs/static/reverseTree.json
--- a/lemonldap-ng-manager/site/htdocs/static/struct.json
+++ b/lemonldap-ng-manager/site/htdocs/static/struct.json
--- a/lemonldap-ng-portal/MANIFEST
+++ b/lemonldap-ng-portal/MANIFEST
@ -130,6 +130,7 @@ site/coffee/kerberos.coffee
 site/coffee/oidcchecksession.coffee
 site/coffee/portal.coffee
 site/coffee/registerbrowser.coffee
+site/coffee/ssl.coffee
 site/coffee/u2fcheck.coffee
 site/coffee/u2fregistration.coffee
 site/cron/purgeCentralCache
@ -221,6 +222,8 @@ site/htdocs/static/common/js/portal.js
 site/htdocs/static/common/js/portal.min.js
 site/htdocs/static/common/js/registerbrowser.js
 site/htdocs/static/common/js/registerbrowser.min.js
+site/htdocs/static/common/js/ssl.js
+site/htdocs/static/common/js/ssl.min.js
 site/htdocs/static/common/js/u2f-api.js
 site/htdocs/static/common/js/u2f-api.min.js
 site/htdocs/static/common/js/u2fcheck.js
@ -267,6 +270,7 @@ site/templates/bootstrap/password.tpl
 site/templates/bootstrap/public/test.tpl
 site/templates/bootstrap/redirect.tpl
 site/templates/bootstrap/register.tpl
+site/templates/bootstrap/sslform.tpl
 site/templates/bootstrap/standardform.tpl
 site/templates/bootstrap/u2fcheck.tpl
 site/templates/bootstrap/u2fregister.tpl
--- a/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Auth/SSL.pm
+++ b/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Auth/SSL.pm
@ -2,8 +2,12 @@ package Lemonldap::NG::Portal::Auth::SSL;

 use strict;
 use Mouse;
-use Lemonldap::NG::Portal::Main::Constants
-  qw(PE_OK PE_BADCERTIFICATE PE_CERTIFICATEREQUIRED);
+use Lemonldap::NG::Portal::Main::Constants qw(
+  PE_BADCERTIFICATE
+  PE_CERTIFICATEREQUIRED
+  PE_FIRSTACCESS
+  PE_OK
+);

 our $VERSION = '2.0.0';

@ -33,14 +37,24 @@ sub extractFormInfo {
    {
        $field = $tmp;
    }
-    return PE_OK
-      if ( $req->user( $req->env->{$field} ) );
-    if ( $req->env->{SSL_CLIENT_S_DN} ) {
+    if ( $req->user( $req->env->{$field} ) ) {
+        $self->userLogger->notice( "GoodSSL authentication for " . $req->user );
+        return PE_OK;
+    }
+    elsif ( $req->env->{SSL_CLIENT_S_DN} ) {
        $self->userLogger->warn("$field was not found in user certificate");
        return PE_BADCERTIFICATE;
    }
+    elsif ( $self->conf->{sslByAjax} and not $req->param('nossl') ) {
+        $self->logger->debug('Send SSL javascript');
+        $req->datas->{customScript} .=
+            '<script type="application/init">{"sslHost":"'
+          . $self->conf->{sslHost}
+          . '"}</script>';
+        return PE_FIRSTACCESS;
+    }
    else {
-        $self->userlogger->warn('No certificate found');
+        $self->userLogger->warn('No certificate found');
        return PE_CERTIFICATEREQUIRED;
    }
 }
@ -56,7 +70,7 @@ sub setAuthSessionInfo {
 }

 sub getDisplayType {
-    return "logo";
+    return ( $_[0]->conf->{sslByAjax} ? "sslform" : "logo" );
 }

 1;
--- a/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Main/Display.pm
+++ b/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Main/Display.pm
@ -325,8 +325,9 @@ sub display {
                    DISPLAY_YUBIKEY_FORM => $displayType =~ /\byubikeyform\b/
                    ? 1
                    : 0,
-                    DISPLAY_LOGO_FORM => $displayType eq "logo" ? 1 : 0,
-                    module => $displayType eq "logo"
+                    DISPLAY_SSL_FORM  => $displayType =~ /sslform/ ? 1 : 0,
+                    DISPLAY_LOGO_FORM => $displayType eq "logo"    ? 1 : 0,
+                    module            => $displayType eq "logo"
                    ? $self->getModule( $req, 'auth' )
                    : "",
                    AUTH_LOOP => [],
@ -342,10 +343,7 @@ sub display {
    }

    # Additional $req param
-    %templateParams = (
-        %templateParams,
-        %{ $req->{customParameters} // {} },
-    );
+    %templateParams = ( %templateParams, %{ $req->{customParameters} // {} }, );

    $self->logger->debug("Skin returned: $skinfile");
    return ( $skinfile, \%templateParams );
--- a/lemonldap-ng-portal/site/coffee/ssl.coffee
+++ b/lemonldap-ng-portal/site/coffee/ssl.coffee
@ -0,0 +1,21 @@
+# Launch SSL request
+
+tryssl = () ->
+	$.ajax window.datas.sslHost,
+		dataType: 'json'
+		# Called if browser can't find Kerberos ticket will display
+		# PE_BADCREDENTIALS
+		statusCode:
+			401: () ->
+				$('#lform').submit()
+		# If request succeed, cookie is set, posting form to get redirection
+		# or menu
+		success: (data) ->
+			$('#lform').submit()
+		# Case else, will display PE_BADCREDENTIALS or fallback to next auth
+		# backend
+		error: () ->
+			$('#lform').submit()
+
+$(document).ready ->
+	$('.sslclick').on 'click', tryssl
--- a/lemonldap-ng-portal/site/htdocs/static/bootstrap/css/styles.css
+++ b/lemonldap-ng-portal/site/htdocs/static/bootstrap/css/styles.css
@ -60,6 +60,7 @@ div.actions a {
 .buttons {
  text-align: center;
  margin: 10px 0 0 0;
+  cursor: pointer;
 }
 /* Override bootstrap btn style */
 .btn {
@ -153,3 +154,7 @@ div.oidc_consent_message > ul {
 .noborder {
  border: none;
 }
+
+.max {
+  width: 100%;
+}
--- a/lemonldap-ng-portal/site/htdocs/static/bootstrap/css/styles.min.css
+++ b/lemonldap-ng-portal/site/htdocs/static/bootstrap/css/styles.min.css
@ -1 +1 @@
-html,body{height:100%;background:radial-gradient(circle at 50% 0,#fff 0,#ddd 100%) no-repeat scroll 0 0 #ddd}#wrap{min-height:100%;height:auto;margin:0 auto -80px;padding:20px 0 80px}#footer{height:80px;background-color:#fff;background-color:rgba(255,255,255,0.9);text-align:center;padding-top:10px;overflow:hidden}#header img{background-color:#fff;background-color:rgba(255,255,255,0.8);margin-bottom:20px}.panel,.navbar-default{background-color:#fff;background-color:rgba(255,255,255,0.9);background-image:none}.login,.password,.confirm{text-align:center;padding:20px}div.form{margin:0 auto;max-width:330px}div.actions{margin:10px 0 0 0}div.actions a{margin-top:10px}.buttons{text-align:center;margin:10px 0 0 0}.btn{white-space:normal}.btn span.glyphicon{padding-right:8px}li.ui-state-active{background-color:#fafafa;background-color:rgba(250,250,250,0.9)}#appslist,#password,#loginHistory,#logout{margin-top:20px}div.application{height:50px;overflow:hidden}div.application a,div.application a:hover{text-decoration:none;display:block}div.application h4.appname{margin-top:5px}div.application p.appdesc{color:#aaa;font-style:italic}p.notifCheck label{margin-left:5px;margin-top:3px;display:inline-block}div.openidconnect button{height:60px;width:160px;margin-bottom:5px}div.openidconnect button img{height:30px}div.oidc_consent_message>ul{text-align:left;list-style:circle}@media(min-width:768px){div.application{height:80px}div.application h4.appname{margin:0}#wrap{margin:0 auto -60px}#footer{padding-top:20px;height:60px}}.hiddenFrame{border:0;display:hidden;margin:0}.noborder{border:0}
+html,body{height:100%;background:radial-gradient(circle at 50% 0,#fff 0,#ddd 100%) no-repeat scroll 0 0 #ddd}#wrap{min-height:100%;height:auto;margin:0 auto -80px;padding:20px 0 80px}#footer{height:80px;background-color:#fff;background-color:rgba(255,255,255,0.9);text-align:center;padding-top:10px;overflow:hidden}#header img{background-color:#fff;background-color:rgba(255,255,255,0.8);margin-bottom:20px}.panel,.navbar-default{background-color:#fff;background-color:rgba(255,255,255,0.9);background-image:none}.login,.password,.confirm{text-align:center;padding:20px}div.form{margin:0 auto;max-width:330px}div.actions{margin:10px 0 0 0}div.actions a{margin-top:10px}.buttons{text-align:center;margin:10px 0 0 0;cursor:pointer}.btn{white-space:normal}.btn span.glyphicon{padding-right:8px}li.ui-state-active{background-color:#fafafa;background-color:rgba(250,250,250,0.9)}#appslist,#password,#loginHistory,#logout{margin-top:20px}div.application{height:50px;overflow:hidden}div.application a,div.application a:hover{text-decoration:none;display:block}div.application h4.appname{margin-top:5px}div.application p.appdesc{color:#aaa;font-style:italic}p.notifCheck label{margin-left:5px;margin-top:3px;display:inline-block}div.openidconnect button{height:60px;width:160px;margin-bottom:5px}div.openidconnect button img{height:30px}div.oidc_consent_message>ul{text-align:left;list-style:circle}@media(min-width:768px){div.application{height:80px}div.application h4.appname{margin:0}#wrap{margin:0 auto -60px}#footer{padding-top:20px;height:60px}}.hiddenFrame{border:0;display:hidden;margin:0}.noborder{border:0}.max{width:100%}
--- a/lemonldap-ng-portal/site/htdocs/static/common/js/ssl.js
+++ b/lemonldap-ng-portal/site/htdocs/static/common/js/ssl.js
@ -0,0 +1,26 @@
+// Generated by CoffeeScript 1.10.0
+(function() {
+  var tryssl;
+
+  tryssl = function() {
+    return $.ajax(window.datas.sslHost, {
+      dataType: 'json',
+      statusCode: {
+        401: function() {
+          return $('#lform').submit();
+        }
+      },
+      success: function(data) {
+        return $('#lform').submit();
+      },
+      error: function() {
+        return $('#lform').submit();
+      }
+    });
+  };
+
+  $(document).ready(function() {
+    return $('.sslclick').on('click', tryssl);
+  });
+
+}).call(this);
--- a/lemonldap-ng-portal/site/htdocs/static/common/js/ssl.min.js
+++ b/lemonldap-ng-portal/site/htdocs/static/common/js/ssl.min.js
@ -0,0 +1 @@
+(function(){var a;a=function(){return $.ajax(window.datas.sslHost,{dataType:"json",statusCode:{401:function(){return $("#lform").submit()}},success:function(b){return $("#lform").submit()},error:function(){return $("#lform").submit()}})};$(document).ready(function(){return $(".sslclick").on("click",a)})}).call(this);
--- a/lemonldap-ng-portal/site/templates/bootstrap/login.tpl
+++ b/lemonldap-ng-portal/site/templates/bootstrap/login.tpl
@ -67,6 +67,10 @@
              <TMPL_INCLUDE NAME="yubikeyform.tpl">
            </TMPL_IF>

+            <TMPL_IF NAME="sslform">
+              <TMPL_INCLUDE NAME="sslform.tpl">
+            </TMPL_IF>
+
            <TMPL_IF NAME="logo">

              <div class="form">
@ -120,6 +124,10 @@
      <TMPL_INCLUDE NAME="openidform.tpl">
   </TMPL_IF>

+   <TMPL_IF NAME="DISPLAY_SSL_FORM">
+      <TMPL_INCLUDE NAME="sslform.tpl">
+   </TMPL_IF>
+
   <TMPL_IF NAME="DISPLAY_YUBIKEY_FORM">
      <TMPL_INCLUDE NAME="yubikeyform.tpl">
   </TMPL_IF>
--- a/lemonldap-ng-portal/site/templates/bootstrap/sslform.tpl
+++ b/lemonldap-ng-portal/site/templates/bootstrap/sslform.tpl
@ -0,0 +1,19 @@
+<!-- //if:jsminified
+<script type="text/javascript" src="<TMPL_VAR NAME="STATIC_PREFIX">common/js/ssl.min.js"></script>
+//else -->
+<script type="text/javascript" src="<TMPL_VAR NAME="STATIC_PREFIX">common/js/ssl.js"></script>
+<!-- //endif -->
+
+<div class="form">
+  <input type="hidden" name="nossl" value="1" />
+  <div class="form-group input-group sslclick buttons max">
+    <img src="<TMPL_VAR NAME="STATIC_PREFIX">common/modules/SSL.png" alt="<TMPL_VAR NAME="module">" class="img-thumbnail" />
+  </div>
+
+  <TMPL_INCLUDE NAME="checklogins.tpl">
+
+  <button type="submit" class="btn btn-success sslclick" >
+    <span class="glyphicon glyphicon-log-in"></span>
+    <span trspan="connect">Connect</span>
+  </button>
+</div>
				`@ -0,0 +1 @@`
				`(function(){var a;a=function(){return $.ajax(window.datas.sslHost,{dataType:"json",statusCode:{401:function(){return $("#lform").submit()}},success:function(b){return $("#lform").submit()},error:function(){return $("#lform").submit()}})};$(document).ready(function(){return $(".sslclick").on("click",a)})}).call(this);`