Append Impersonation unrestrictedUsers rule & Update langs (#2207)

5 years ago · eb65264d5d
parent 9d7e5c61cc
commit eb65264d5d
15 changed files with 118 additions and 11 deletions
--- a/lemonldap-ng-manager/lib/Lemonldap/NG/Manager/Attributes.pm
+++ b/lemonldap-ng-manager/lib/Lemonldap/NG/Manager/Attributes.pm
@ -875,6 +875,12 @@ qr/(?:(?:https?):\/\/(?:(?:(?:(?:(?:(?:[a-zA-Z0-9][-a-zA-Z0-9]*)?[a-zA-Z0-9])[.]
        'checkUserSearchAttributes' => {
            'type' => 'text'
        },
+        'checkUserUnrestrictedUsersRule' => {
+            'test' => sub {
+                return perlExpr(@_);
+            },
+            'type' => 'text'
+        },
        'checkXSS' => {
            'default' => 1,
            'type'    => 'bool'
@ -1029,6 +1035,12 @@ qr/(?:(?:https?):\/\/(?:(?:(?:(?:(?:(?:[a-zA-Z0-9][-a-zA-Z0-9]*)?[a-zA-Z0-9])[.]
            'default' => 1,
            'type'    => 'bool'
        },
+        'contextSwitchingUnrestrictedUsersRule' => {
+            'test' => sub {
+                return perlExpr(@_);
+            },
+            'type' => 'text'
+        },
        'cookieExpiration' => {
            'type' => 'int'
        },
@ -1428,6 +1440,12 @@ qr/^(?:(?:(?:(?:(?:[a-zA-Z0-9][-a-zA-Z0-9]*)?[a-zA-Z0-9])[.])*(?:[a-zA-Z][-a-zA-
            'default' => 1,
            'type'    => 'bool'
        },
+        'impersonationUnrestrictedUsersRule' => {
+            'test' => sub {
+                return perlExpr(@_);
+            },
+            'type' => 'text'
+        },
        'infoFormMethod' => {
            'default' => 'get',
            'select'  => [ {
--- a/lemonldap-ng-manager/lib/Lemonldap/NG/Manager/Build/Attributes.pm
+++ b/lemonldap-ng-manager/lib/Lemonldap/NG/Manager/Build/Attributes.pm
@ -454,6 +454,12 @@ sub attributes {
            default       => 1,
            documentation => 'checkUser identities rule',
        },
+        checkUserUnrestrictedUsersRule => {
+            type          => 'text',
+            test          => sub { return perlExpr(@_) },
+            documentation => 'checkUser unrestricted users rule',
+            flags         => 'p',
+        },
        checkUserHiddenAttributes => {
            type          => 'text',
            default       => '_loginHistory _session_id hGroups',
@ -526,6 +532,12 @@ sub attributes {
            documentation => 'Impersonation identities rule',
            flags         => 'p',
        },
+        impersonationUnrestrictedUsersRule => {
+            type          => 'text',
+            test          => sub { return perlExpr(@_) },
+            documentation => 'Impersonation unrestricted users rule',
+            flags         => 'p',
+        },
        impersonationHiddenAttributes => {
            type          => 'text',
            default       => '_2fDevices _loginHistory',
@ -551,6 +563,12 @@ sub attributes {
            documentation => 'Context switching identities rule',
            flags         => 'p',
        },
+        contextSwitchingUnrestrictedUsersRule => {
+            type          => 'text',
+            test          => sub { return perlExpr(@_) },
+            documentation => 'Context switching unrestricted users rule',
+            flags         => 'p',
+        },
        contextSwitchingStopWithLogout => {
            type          => 'bool',
            default       => 1,
--- a/lemonldap-ng-manager/lib/Lemonldap/NG/Manager/Build/Tree.pm
+++ b/lemonldap-ng-manager/lib/Lemonldap/NG/Manager/Build/Tree.pm
@ -739,6 +739,7 @@ sub tree {
                            nodes => [
                                'checkUser',
                                'checkUserIdRule',
+                                'checkUserUnrestrictedUsersRule',
                                'checkUserHiddenAttributes',
                                'checkUserSearchAttributes',
                                'checkUserDisplayEmptyHeaders',
@ -753,6 +754,7 @@ sub tree {
                            nodes => [
                                'impersonationRule',
                                'impersonationIdRule',
+                                'impersonationUnrestrictedUsersRule',
                                'impersonationHiddenAttributes',
                                'impersonationSkipEmptyValues',
                                'impersonationMergeSSOgroups',
@ -765,6 +767,7 @@ sub tree {
                            nodes => [
                                'contextSwitchingRule',
                                'contextSwitchingIdRule',
+                                'contextSwitchingUnrestrictedUsersRule',
                                'contextSwitchingStopWithLogout',
                            ]
                        },
--- a/lemonldap-ng-manager/site/htdocs/static/languages/ar.json
+++ b/lemonldap-ng-manager/site/htdocs/static/languages/ar.json
@ -161,6 +161,7 @@
 "contextSwitchingIdRule":"Identities use rule",
 "contextSwitchingRule":"استخدام القاعدة",
 "contextSwitchingStopWithLogout":"Stop by logout",
+"contextSwitchingUnrestrictedUsersRule":"Unrestricted users rule",
 "cspConnect":"وجهات أجاكس",
 "cspDefault":"القيمة الاعتيادية ",
 "cspFont":" مصدر نوع الخط",
@ -186,6 +187,7 @@
 "checkUsers":"SSO profile Check",
 "checkUser":"تفعيل",
 "checkUserIdRule":"Identities use rule",
+"checkUserUnrestrictedUsersRule":"Unrestricted users rule",
 "checkUserHiddenAttributes":"السمات المخفية",
 "checkUserDisplayPersistentInfo":"Display persistent session",
 "checkUserDisplayEmptyHeaders":"Display empty headers",
@ -351,6 +353,7 @@
 "impersonationHiddenAttributes":"السمات المخفية",
 "impersonationMergeSSOgroups":"Merge spoofed and real SSO groups",
 "impersonationSkipEmptyValues":"Skip empty values",
+"impersonationUnrestrictedUsersRule":"Unrestricted users rule",
 "incompleteForm":"الحقول المطلوبة مفقودة",
 "index":"فهرس",
 "infoFormMethod":"طريقة للحصول على معلومات الإستمارة",
--- a/lemonldap-ng-manager/site/htdocs/static/languages/de.json
+++ b/lemonldap-ng-manager/site/htdocs/static/languages/de.json
@ -161,6 +161,7 @@
 "contextSwitchingIdRule":"Identities use rule",
 "contextSwitchingRule":"Use rule",
 "contextSwitchingStopWithLogout":"Stop by logout",
+"contextSwitchingUnrestrictedUsersRule":"Unrestricted users rule",
 "cspConnect":"Ajax destinations",
 "cspDefault":"Default value",
 "cspFont":"Font source",
@ -187,6 +188,7 @@
 "checkUser":"Activation",
 "checkUserIdRule":"Identities use rule",
 "checkUserHiddenAttributes":"Hidden attributes",
+"checkUserUnrestrictedUsersRule":"Unrestricted users rule",
 "checkUserDisplayPersistentInfo":"Display persistent session",
 "checkUserDisplayEmptyHeaders":"Display empty headers",
 "checkUserDisplayEmptyValues":"Display empty values",
@ -351,6 +353,7 @@
 "impersonationHiddenAttributes":"Hidden attributes",
 "impersonationMergeSSOgroups":"Merge spoofed and real SSO groups",
 "impersonationSkipEmptyValues":"Skip empty values",
+"impersonationUnrestrictedUsersRule":"Unrestricted users rule",
 "incompleteForm":"Required fields are missing",
 "index":"Index",
 "infoFormMethod":"Method for info form",
--- a/lemonldap-ng-manager/site/htdocs/static/languages/en.json
+++ b/lemonldap-ng-manager/site/htdocs/static/languages/en.json
@ -161,6 +161,7 @@
 "contextSwitchingIdRule":"Identities use rule",
 "contextSwitchingRule":"Use rule",
 "contextSwitchingStopWithLogout":"Stop by logout",
+"contextSwitchingUnrestrictedUsersRule":"Unrestricted users rule",
 "cspConnect":"Ajax destinations",
 "cspDefault":"Default value",
 "cspFont":"Font source",
@ -187,6 +188,7 @@
 "checkUser":"Activation",
 "checkUserIdRule":"Identities use rule",
 "checkUserHiddenAttributes":"Hidden attributes",
+"checkUserUnrestrictedUsersRule":"Unrestricted users rule",
 "checkUserDisplayPersistentInfo":"Display persistent session",
 "checkUserDisplayEmptyHeaders":"Display empty headers",
 "checkUserDisplayEmptyValues":"Display empty values",
@ -351,6 +353,7 @@
 "impersonationHiddenAttributes":"Hidden attributes",
 "impersonationMergeSSOgroups":"Merge spoofed and real SSO groups",
 "impersonationSkipEmptyValues":"Skip empty values",
+"impersonationUnrestrictedUsersRule":"Unrestricted users rule",
 "incompleteForm":"Required fields are missing",
 "index":"Index",
 "infoFormMethod":"Method for info form",
--- a/lemonldap-ng-manager/site/htdocs/static/languages/fr.json
+++ b/lemonldap-ng-manager/site/htdocs/static/languages/fr.json
@ -161,6 +161,7 @@
 "contextSwitchingIdRule":"Règle d'utilisation des identités",
 "contextSwitchingRule":"Règle d'utilisation",
 "contextSwitchingStopWithLogout":"Arrêt par déconnexion",
+"contextSwitchingUnrestrictedUsersRule":"Règle des utilisateurs non restreints",
 "cspConnect":"Destinations des requêtes AJAX",
 "cspDefault":"Valeur par défaut",
 "cspFont":"Sources des polices",
@ -187,6 +188,7 @@
 "checkUser":"Activation",
 "checkUserIdRule":"Règle d'utilisation des identités",
 "checkUserHiddenAttributes":"Attributs masqués",
+"checkUserUnrestrictedUsersRule":"Règle des utilisateurs non restreints",
 "checkUserDisplayPersistentInfo":"Afficher les données de session persistante",
 "checkUserDisplayEmptyHeaders":"Afficher les entêtes nuls",
 "checkUserDisplayEmptyValues":"Afficher les valeurs nulles",
@ -351,6 +353,7 @@
 "impersonationHiddenAttributes":"Attributs masqués",
 "impersonationMergeSSOgroups":"Fusionner les groupes SSO réels et usurpés",
 "impersonationSkipEmptyValues":"Ignorer les valeurs nulles",
+"impersonationUnrestrictedUsersRule":"Règle des utilisateurs non restreints",
 "incompleteForm":"Des champs requis manquent",
 "index":"Index",
 "infoFormMethod":"Méthode du formulaire d'information",
--- a/lemonldap-ng-manager/site/htdocs/static/languages/it.json
+++ b/lemonldap-ng-manager/site/htdocs/static/languages/it.json
@ -161,6 +161,7 @@
 "contextSwitchingIdRule":"Le identità usano la regola",
 "contextSwitchingRule":"Utilizza la regola",
 "contextSwitchingStopWithLogout":"Stop by logout",
+"contextSwitchingUnrestrictedUsersRule":"Unrestricted users rule",
 "cspConnect":"Destinazioni Ajax",
 "cspDefault":"Valore di default",
 "cspFont":"Origine carattere",
@ -187,6 +188,7 @@
 "checkUser":"Attivazione",
 "checkUserIdRule":"Uso della regola delle identità",
 "checkUserHiddenAttributes":"Attributi nascosti",
+"checkUserUnrestrictedUsersRule":"Unrestricted users rule",
 "checkUserDisplayPersistentInfo":"Mostra sessione persistente",
 "checkUserDisplayEmptyHeaders":"Display empty headers",
 "checkUserDisplayEmptyValues":"Mostra valori vuoti",
@ -351,6 +353,7 @@
 "impersonationHiddenAttributes":"Attributi nascosti",
 "impersonationMergeSSOgroups":"Unisci gruppi SSO usurpati e reali",
 "impersonationSkipEmptyValues":"Salta valori vuoti",
+"impersonationUnrestrictedUsersRule":"Unrestricted users rule",
 "incompleteForm":"Mancano campi obbligatori",
 "index":"Indice",
 "infoFormMethod":"Metodo per il modulo informazioni",
--- a/lemonldap-ng-manager/site/htdocs/static/languages/pl.json
+++ b/lemonldap-ng-manager/site/htdocs/static/languages/pl.json
@ -161,6 +161,7 @@
 "contextSwitchingIdRule":"Reguła korzystania z tożsamości",
 "contextSwitchingRule":"Użyj reguły",
 "contextSwitchingStopWithLogout":"Zatrzymaj przez wylogowanie",
+"contextSwitchingUnrestrictedUsersRule":"Unrestricted users rule",
 "cspConnect":"Miejsca docelowe Ajax",
 "cspDefault":"Domyślna wartość",
 "cspFont":"Źródło czcionek",
@ -187,6 +188,7 @@
 "checkUser":"Aktywacja",
 "checkUserIdRule":"Reguła korzystania z tożsamości",
 "checkUserHiddenAttributes":"Ukryte atrybuty",
+"checkUserUnrestrictedUsersRule":"Unrestricted users rule",
 "checkUserDisplayPersistentInfo":"Wyświetl trwałą sesję",
 "checkUserDisplayEmptyHeaders":"Wyświetl puste nagłówki",
 "checkUserDisplayEmptyValues":"Wyświetl puste wartości",
@ -351,6 +353,7 @@
 "impersonationHiddenAttributes":"Ukryte atrybuty",
 "impersonationMergeSSOgroups":"Scal sfałszowane i prawdziwe grupy jednokrotnego logowania",
 "impersonationSkipEmptyValues":"Pomiń puste wartości",
+"impersonationUnrestrictedUsersRule":"Unrestricted users rule",
 "incompleteForm":"Brak wymaganych pól",
 "index":"Indeks",
 "infoFormMethod":"Metoda formularza informacyjnego",
--- a/lemonldap-ng-manager/site/htdocs/static/languages/tr.json
+++ b/lemonldap-ng-manager/site/htdocs/static/languages/tr.json
@ -161,6 +161,7 @@
 "contextSwitchingIdRule":"Kimlik kullanım kuralı",
 "contextSwitchingRule":"Kuralı kullan",
 "contextSwitchingStopWithLogout":"Çıkış yapmayı durdur",
+"contextSwitchingUnrestrictedUsersRule":"Unrestricted users rule",
 "cspConnect":"Ajax hedefleri",
 "cspDefault":"Varsayılan değer",
 "cspFont":"Font kaynağı",
@ -187,6 +188,7 @@
 "checkUser":"Aktivasyon",
 "checkUserIdRule":"Kimlik kullanım kuralı",
 "checkUserHiddenAttributes":"Gizli nitelikler",
+"checkUserUnrestrictedUsersRule":"Unrestricted users rule",
 "checkUserDisplayPersistentInfo":"Kalıcı oturumu görüntüle",
 "checkUserDisplayEmptyHeaders":"Display empty headers",
 "checkUserDisplayEmptyValues":"Boş değerleri görüntüle",
@ -351,6 +353,7 @@
 "impersonationHiddenAttributes":"Gizli nitelikler",
 "impersonationMergeSSOgroups":"Sahte ve gerçek TOA gruplarını birleştir",
 "impersonationSkipEmptyValues":"Boş değerleri geç",
+"impersonationUnrestrictedUsersRule":"Unrestricted users rule",
 "incompleteForm":"Gerekli alanlar eksik",
 "index":"Dizin",
 "infoFormMethod":"Bilgi formu için metot",
--- a/lemonldap-ng-manager/site/htdocs/static/languages/vi.json
+++ b/lemonldap-ng-manager/site/htdocs/static/languages/vi.json
@ -161,6 +161,7 @@
 "contextSwitchingIdRule":"Identities use rule",
 "contextSwitchingRule":"Quy tắc sử dụng",
 "contextSwitchingStopWithLogout":"Stop by logout",
+"contextSwitchingUnrestrictedUsersRule":"Unrestricted users rule",
 "cspConnect":"Đích cúa Ajax",
 "cspDefault":"Giá trị mặc định",
 "cspFont":"Nguồn phông chữ",
@ -187,6 +188,7 @@
 "checkUser":"Kích hoạt",
 "checkUserIdRule":"Identities use rule",
 "checkUserHiddenAttributes":"Thuộc tính ẩn",
+"checkUserUnrestrictedUsersRule":"Unrestricted users rule",
 "checkUserDisplayPersistentInfo":"Display persistent session",
 "checkUserDisplayEmptyHeaders":"Display empty headers",
 "checkUserDisplayEmptyValues":"Display empty values",
@ -351,6 +353,7 @@
 "impersonationHiddenAttributes":"Thuộc tính ẩn",
 "impersonationMergeSSOgroups":"Merge spoofed and real SSO groups",
 "impersonationSkipEmptyValues":"Skip empty values",
+"impersonationUnrestrictedUsersRule":"Unrestricted users rule",
 "incompleteForm":"Các trường bắt buộc bị thiếu",
 "index":"Chỉ mục",
 "infoFormMethod":"Phương pháp cho mẫu thông tin",
--- a/lemonldap-ng-manager/site/htdocs/static/languages/zh.json
+++ b/lemonldap-ng-manager/site/htdocs/static/languages/zh.json
@ -161,6 +161,7 @@
 "contextSwitchingIdRule":"Identities use rule",
 "contextSwitchingRule":"Use rule",
 "contextSwitchingStopWithLogout":"Stop by logout",
+"contextSwitchingUnrestrictedUsersRule":"Unrestricted users rule",
 "cspConnect":"Ajax destinations",
 "cspDefault":"Default value",
 "cspFont":"字体源",
@ -187,6 +188,7 @@
 "checkUser":"激活",
 "checkUserIdRule":"Identities use rule",
 "checkUserHiddenAttributes":"Hidden attributes",
+"checkUserUnrestrictedUsersRule":"Unrestricted users rule",
 "checkUserDisplayPersistentInfo":"Display persistent session",
 "checkUserDisplayEmptyHeaders":"Display empty headers",
 "checkUserDisplayEmptyValues":"Display empty values",
@ -351,6 +353,7 @@
 "impersonationHiddenAttributes":"Hidden attributes",
 "impersonationMergeSSOgroups":"Merge spoofed and real SSO groups",
 "impersonationSkipEmptyValues":"Skip empty values",
+"impersonationUnrestrictedUsersRule":"Unrestricted users rule",
 "incompleteForm":"Required fields are missing",
 "index":"Index",
 "infoFormMethod":"Method for info form",
--- a/lemonldap-ng-manager/site/htdocs/static/reverseTree.json
+++ b/lemonldap-ng-manager/site/htdocs/static/reverseTree.json
--- a/lemonldap-ng-manager/site/htdocs/static/struct.json
+++ b/lemonldap-ng-manager/site/htdocs/static/struct.json
--- a/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Plugins/Impersonation.pm
+++ b/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Plugins/Impersonation.pm
@ -5,16 +5,24 @@ use Mouse;
 use Lemonldap::NG::Portal::Main::Constants
  qw( PE_OK PE_BADCREDENTIALS PE_IMPERSONATION_SERVICE_NOT_ALLOWED PE_MALFORMEDUSER );

-our $VERSION = '2.0.8';
+our $VERSION = '2.0.9';

-extends 'Lemonldap::NG::Portal::Main::Plugin';
+extends 'Lemonldap::NG::Portal::Main::Plugin',
+  'Lemonldap::NG::Portal::Lib::_tokenRule';

 # INITIALIZATION

 use constant afterData => 'run';

-has rule   => ( is => 'rw', default => sub { 1 } );
-has idRule => ( is => 'rw', default => sub { 1 } );
+has rule                  => ( is => 'rw', default => sub { 1 } );
+has idRule                => ( is => 'rw', default => sub { 1 } );
+has unrestrictedUsersRule => ( is => 'rw', default => sub { 0 } );
+
+# Form timeout token generator (used if requireToken is set)
+has ott => ( is => 'rw' );
+
+# Captcha generator
+has captcha => ( is => 'rw' );

 sub hAttr {
    $_[0]->{conf}->{impersonationHiddenAttributes} . ' '
@ -40,6 +48,25 @@ sub init {
    );
    return 0 unless $self->idRule;

+    $self->unrestrictedUsersRule(
+        $self->p->buildRule(
+            $self->conf->{impersonationUnrestrictedUsersRule},
+            'impersonationUnrestrictedUsers'
+        )
+    );
+    return 0 unless $self->unrestrictedUsersRule;
+
+    # Initialize Captcha if needed
+    if ( $self->{conf}->{captcha_login_enabled} ) {
+        $self->captcha( $self->p->loadModule('::Lib::Captcha') ) or return 0;
+    }
+
+    # Initialize form token if needed (captcha provides also a token)
+    else {
+        $self->ott( $self->p->loadModule('::Lib::OneTimeToken') ) or return 0;
+        $self->ott->timeout( $self->conf->{formTimeout} );
+    }
+
    return 1;
 }

@ -53,6 +80,7 @@ sub run {
      PE_OK;    # Skip Impersonation if error during Auth process

    my $statut = PE_OK;
+    my $unUser = 0;
    my $loginHistory =
      $req->{sessionInfo}->{_loginHistory};    # Store login history
    $req->{user} ||= $req->{sessionInfo}->{_impUser};    # If 2FA is enabled
@ -70,7 +98,7 @@ sub run {
        $statut  = PE_MALFORMEDUSER;
    }

-    # Check activation rule
+    # Check activation & unrestrictedUsers rules
    if ( $spoofId ne $req->{user} ) {
        $self->logger->debug("Spoof Id: $spoofId / Real Id: $req->{user}");
        unless ( $self->rule->( $req, $req->sessionInfo ) ) {
@ -78,6 +106,7 @@ sub run {
            $spoofId = $req->{user};
            $statut  = PE_IMPERSONATION_SERVICE_NOT_ALLOWED;
        }
+        $unUser = $self->unrestrictedUsersRule->( $req, $req->sessionInfo );
    }

    # Fill spoof session
@ -98,8 +127,9 @@ sub run {
        delete $req->{sessionInfo}->{$k};
    }

-    $spoofSession = $self->_userData( $req, $spoofId, $realSession );
+    $spoofSession = $self->_userData( $req, $spoofId, $realSession, $unUser );
    if ( $req->error ) {
+        $self->setSecurity($req);
        if ( $req->error == PE_BADCREDENTIALS ) {
            $statut = PE_BADCREDENTIALS;
        }
@ -168,8 +198,9 @@ sub run {
 }

 sub _userData {
-    my ( $self, $req, $spoofId, $realSession ) = @_;
+    my ( $self, $req, $spoofId, $realSession, $unUser ) = @_;
    my $realId = $req->{user};
+    $self->logger->info("$realId is an unrestricted user!") if $unUser;
    $req->{user} = $spoofId;
    my $raz = 0;

@ -195,7 +226,7 @@ sub _userData {

    # Check identity rule if Impersonation required
    if ( $realId ne $spoofId ) {
-        unless ( $self->idRule->( $req, $req->sessionInfo ) ) {
+        unless ( $unUser || $self->idRule->( $req, $req->sessionInfo ) ) {
            $self->userLogger->warn(
                    'Impersonation requested for an unvalid user ('
                  . $req->{user}
@ -215,7 +246,7 @@ sub _userData {
                $self->p->groupsAndMacros, 'setLocalGroups'
            ]
        );
-        $self->logger->debug('Spoof session equal real session');
+        $self->logger->debug('Reset Impersonation process');
        $req->error(PE_BADCREDENTIALS);
        if ( my $error = $self->p->process($req) ) {
            $self->logger->debug("Process returned error: $error");
@ -238,4 +269,14 @@ sub _userData {
    return $req->{sessionInfo};
 }

+sub setSecurity {
+    my ( $self, $req ) = @_;
+    if ( $self->captcha ) {
+        $self->captcha->setCaptcha($req);
+    }
+    elsif ( $self->ottRule->( $req, {} ) ) {
+        $self->ott->setToken($req);
+    }
+}
+
 1;