WIP - Decrease authLevel skeleton (#1784)

6 years ago · be26e3cb9a
parent bf8022b8db
commit be26e3cb9a
4 changed files with 72 additions and 12 deletions
--- a/lemonldap-ng-handler/lib/Lemonldap/NG/Handler/Main/Reload.pm
+++ b/lemonldap-ng-handler/lib/Lemonldap/NG/Handler/Main/Reload.pm
@ -199,6 +199,7 @@ sub defaultValuesInit {
        timeoutActivityInterval useRedirectOnError useRedirectOnForbidden
        useSafeJail             whatToTrace        handlerInternalCache
        handlerServiceTokenTTL  decreaseAuthLevelInterval httpOnly
+        decreaseCounter
        )
    );

--- a/lemonldap-ng-handler/lib/Lemonldap/NG/Handler/Main/Run.pm
+++ b/lemonldap-ng-handler/lib/Lemonldap/NG/Handler/Main/Run.pm
@ -11,6 +11,7 @@ use strict;
 use MIME::Base64;
 use URI::Escape;
 use Lemonldap::NG::Common::Session;
+use Data::Dumper;

 # Methods that must be overloaded

@ -148,8 +149,9 @@ sub run {
        # ACCOUNTING (1. Inform web server)
        $class->set_user( $req, $session->{ $class->tsv->{whatToTrace} } );

-        # Decrease authentication level if required
-        $class->decreaseAuthLevel( $req, $session );
+        # # Decrease authentication level if required
+        # $class->decreaseAuthLevel( $req, $session, $id )
+        #   if ( $class->tsv->{decreaseAuthLevelInterval} );

        # AUTHORIZATION
        return ( $class->forbidden( $req, $session ), $session )
@ -437,7 +439,7 @@ sub retrieveSession {
    # 1. Search if the user was the same as previous (very efficient in
    # persistent connection).
    # NB: timout is here the same value as current HTTP/1.1 Keep-Alive timeout
-    #     (15 seconds)
+    #     (15 seconds by default)
    if (    defined $class->data->{_session_id}
        and $id eq $class->data->{_session_id}
        and
@ -524,6 +526,33 @@ sub retrieveSession {
            }
        }

+        if (   $class->tsv->{decreaseAuthLevelInterval}
+            && ($session->data->{authenticationLevel} > 1) )
+        {
+            $class->logger->debug(" -> Check if AuthLevel must be decreased");
+
+            # Update the session to notify activity, if necessary
+            if ( $now > ( $class->tsv->{_lastAuthnUTime} +
+                $class->tsv->{decreaseAuthLevelInterval} * ($class->tsv->{_decreaseCounter} + 1)) )
+            {
+                my $authLevel = $session->{data}->{authenticationLevel};
+                my $counter   = $session->{data}->{_decreaseCounter} || 0;
+                $class->logger->debug(
+                    "****************** req :" . Data::Dumper::Dumper($req) );
+                $class->data( $session->data );
+                $class->logger->debug(
+                    "Decrease $session->{data}->{uid} authenticationLevel from $authLevel to " . --$authLevel );
+                $req->data->{session}->update( { 'authenticationLevel' => 5,'_decreaseCounter' => ++$counter } );
+                if ( $session->error ) {
+                    $class->logger->error("Cannot update session $id");
+                    $class->logger->error( $req->data->{session}->error );
+                }
+                else {
+                    $class->logger->debug("Update authenticationLevel with $authLevel");
+                }
+            }
+        }
+
        $class->dataUpdate($now);
        return $session->data;
    }
@ -834,13 +863,33 @@ sub postJavascript {
      . "</script>\n";
 }

-sub decreaseAuthLevel {
-    my ( $class, $req, $session ) = @_;
-
-    if ( $class->tsv->{decreaseAuthLevelInterval} ) {
-        $session->{authenticationLevel} = 1;
-        #$session->update( { authenticationLevel => 1 } );
-    }
-}
+# sub decreaseAuthLevel {
+#     my ( $class, $req, $session, $id ) = @_;
+
+#     return if ( $session->{authenticationLevel} == 1 );
+# $class->logger->debug("************ -> Call decreaseAuthLevel");
+#     my $now = time();
+
+#     # Update the session to notify activity, if necessary
+#     if ( $now > $class->tsv->{_lastAuthnUTime} +
+#         $class->tsv->{decreaseAuthLevelInterval} )
+
+#     {
+#         $class->logger->debug("Decrease authnLevel". Data::Dumper::Dumper($session));
+#         $class->logger->debug("****************** req :" . Data::Dumper::Dumper($req));
+#         $req->data->{session}->update(
+#             { 'authenticationLevel' => 5 } ,{ updateCache => 2 } );
+#         $class->data( $session->data );
+
+#         if ( $session->error ) {
+#             $class->logger->error("Cannot update session $id");
+#             $class->logger->error( $req->data->{session}->error );
+#         }
+#         else {
+#             $class->logger->debug("Update _lastSeen with $now");
+#         }
+#         $class->dataUpdate($now);
+#     }
+# }

 1;
--- a/lemonldap-ng-manager/lib/Lemonldap/NG/Manager/Attributes.pm
+++ b/lemonldap-ng-manager/lib/Lemonldap/NG/Manager/Attributes.pm
@ -1087,6 +1087,10 @@ qr/(?:(?:https?):\/\/(?:(?:(?:(?:(?:(?:[a-zA-Z0-9][-a-zA-Z0-9]*)?[a-zA-Z0-9])[.]
            'default' => 0,
            'type'    => 'int'
        },
+        'decreaseCounter' => {
+            'default' => 0,
+            'type'    => 'int'
+        },
        'demoExportedVars' => {
            'default' => {
                'cn'   => 'cn',
--- a/lemonldap-ng-manager/lib/Lemonldap/NG/Manager/Build/Attributes.pm
+++ b/lemonldap-ng-manager/lib/Lemonldap/NG/Manager/Build/Attributes.pm
@ -531,6 +531,12 @@ sub attributes {
            documentation => 'Decrease authentication level interval',
            flags         => 'hp',
        },
+        decreaseCounter => {
+            type          => 'int',
+            default       => 0,
+            documentation => 'Decrease counter',
+            flags         => 'h',
+        },
        
        # Loggers (ini only)
        logLevel => {