From 5e4c5684b4d7e9543682d72f4f331dfd7a69236e Mon Sep 17 00:00:00 2001
From: Yadd <yadd@debian.org>
Date: Thu, 29 Aug 2024 14:10:39 +0400
Subject: [PATCH 1/3] Add security patch from 2.19.2

---
 portal/Dockerfile           |  2 +-
 portal/security.patch       | 15 +++++++++++++++
 uwsgi-portal/Dockerfile     |  2 +-
 uwsgi-portal/security.patch | 15 +++++++++++++++
 4 files changed, 32 insertions(+), 2 deletions(-)
 create mode 100644 portal/security.patch
 create mode 100644 uwsgi-portal/security.patch

diff --git a/portal/Dockerfile b/portal/Dockerfile
index 757fd47..59eb6d1 100644
--- a/portal/Dockerfile
+++ b/portal/Dockerfile
@@ -37,7 +37,7 @@ COPY *.patch /
 RUN for p in appgrid.patch jwt-type.patch app-scope.patch ignorepollers.patch \
     fixedLogout.patch more-logs.patch introspec-for-public-clients.patch \
     token-exchange.patch redirect-ajax.patch back-channel-debug.patch \
-    crowdsec.patch recaptcha.patch msg-broker.patch mfe.patch \
+    crowdsec.patch recaptcha.patch msg-broker.patch mfe.patch security.patch \
     ; do echo patch $p && patch -p1 < $p; done && \
     rm -f /*.patch && \
     echo "# Install nginx configuration files" && \
diff --git a/portal/security.patch b/portal/security.patch
new file mode 100644
index 0000000..9673ab8
--- /dev/null
+++ b/portal/security.patch
@@ -0,0 +1,15 @@
+--- a/usr/share/perl5/Lemonldap/NG/Portal/Lib/OpenIDConnect.pm
++++ b/usr/share/perl5/Lemonldap/NG/Portal/Lib/OpenIDConnect.pm
+@@ -1767,6 +1767,12 @@ sub checkEndPointAuthenticationCredentials {
+             "Relying Party $rp is public, do not check client secret");
+     }
+     else {
++        if ( $method eq "none" ) {
++            $self->logger->error(
++                "Relying Party $rp is confidential but no known method was used"
++                  . " to authenticate on token endpoint" );
++            return undef;
++        }
+         if ( $method =~ /^client_secret_(?:basic|post)$/ ) {
+             unless ($client_secret) {
+                 $self->logger->error(
diff --git a/uwsgi-portal/Dockerfile b/uwsgi-portal/Dockerfile
index 1a14797..4a739b4 100644
--- a/uwsgi-portal/Dockerfile
+++ b/uwsgi-portal/Dockerfile
@@ -35,7 +35,7 @@ COPY *.patch /
 RUN for p in appgrid.patch jwt-type.patch app-scope.patch ignorepollers.patch \
     fixedLogout.patch more-logs.patch introspec-for-public-clients.patch \
     token-exchange.patch redirect-ajax.patch back-channel-debug.patch \
-    crowdsec.patch recaptcha.patch msg-broker.patch mfe.patch \
+    crowdsec.patch recaptcha.patch msg-broker.patch mfe.patch security.patch \
     ; do echo patch $p && patch -p1 < $p; done && \
     rm -f /*.patch && \
     echo "# Install nginx configuration files" && \
diff --git a/uwsgi-portal/security.patch b/uwsgi-portal/security.patch
new file mode 100644
index 0000000..9673ab8
--- /dev/null
+++ b/uwsgi-portal/security.patch
@@ -0,0 +1,15 @@
+--- a/usr/share/perl5/Lemonldap/NG/Portal/Lib/OpenIDConnect.pm
++++ b/usr/share/perl5/Lemonldap/NG/Portal/Lib/OpenIDConnect.pm
+@@ -1767,6 +1767,12 @@ sub checkEndPointAuthenticationCredentials {
+             "Relying Party $rp is public, do not check client secret");
+     }
+     else {
++        if ( $method eq "none" ) {
++            $self->logger->error(
++                "Relying Party $rp is confidential but no known method was used"
++                  . " to authenticate on token endpoint" );
++            return undef;
++        }
+         if ( $method =~ /^client_secret_(?:basic|post)$/ ) {
+             unless ($client_secret) {
+                 $self->logger->error(

From 1ab77453dad1ab9c28086496b95fcc01a42321ba Mon Sep 17 00:00:00 2001
From: Yadd <yadd@debian.org>
Date: Thu, 29 Aug 2024 14:11:01 +0400
Subject: [PATCH 2/3] Add _ldapsearch

---
 portal/install/usr/bin/_ldapsearch       | 98 ++++++++++++++++++++++++
 uwsgi-portal/install/usr/bin/_ldapsearch | 98 ++++++++++++++++++++++++
 2 files changed, 196 insertions(+)
 create mode 100755 portal/install/usr/bin/_ldapsearch
 create mode 100755 uwsgi-portal/install/usr/bin/_ldapsearch

diff --git a/portal/install/usr/bin/_ldapsearch b/portal/install/usr/bin/_ldapsearch
new file mode 100755
index 0000000..630a69b
--- /dev/null
+++ b/portal/install/usr/bin/_ldapsearch
@@ -0,0 +1,98 @@
+#!/usr/bin/perl
+
+use strict;
+use warnings;
+use Net::LDAP;
+use Getopt::Long;
+use Pod::Usage;
+
+# Variables pour les options de ligne de commande
+my $host = 'localhost';
+my $port = 389;
+my $binddn;
+my $password;
+my $base;
+my $scope  = 'sub';               # sub, one, or base
+my $filter = '(objectClass=*)';
+my @attrs;
+my $url;
+my $help = 0;
+my $x;
+
+# Récupération des options
+GetOptions(
+    'x'            => \$x,
+    'h|host=s'     => \$host,
+    'H|url=s'      => \$url,
+    'p|port=i'     => \$port,
+    'D|binddn=s'   => \$binddn,
+    'w|password=s' => \$password,
+    'b|base=s'     => \$base,
+    's|scope=s'    => \$scope,
+    'f|filter=s'   => \$filter,
+    'a|attrs=s'    => \@attrs,
+    'help|?'       => \$help,
+) or pod2usage(2);
+
+pod2usage(1) if $help;
+
+$filter = shift if @ARGV;
+
+@attrs = @ARGV if ( @ARGV and !@attrs );
+
+# Connexion au serveur LDAP
+my $ldap = Net::LDAP->new( $url ? ($url) : ( $host, port => $port ) )
+  or die "Erreur de connexion à " . ( $url ? $url : "$host:$port" ) . " : $@";
+
+# Authentification
+if ( $binddn && $password ) {
+    my $mesg = $ldap->bind( $binddn, password => $password );
+    die "Erreur d'authentification: ", $mesg->error if $mesg->code;
+}
+
+# Recherche LDAP
+my $mesg = $ldap->search(
+    base   => $base,
+    scope  => $scope,
+    filter => $filter,
+    ( @attrs ? ( attrs => \@attrs ) : () ),
+);
+
+# Vérification des erreurs de recherche
+die "Erreur lors de la recherche: ", $mesg->error if $mesg->code;
+
+# Affichage des résultats
+foreach my $entry ( $mesg->entries ) {
+    $entry->dump;    # Affiche toutes les informations de l'entrée
+}
+
+# Fermeture de la connexion LDAP
+$ldap->unbind;
+
+__END__
+
+=head1 NAME
+
+ldapsearch.pl - Un utilitaire Perl qui imite ldapsearch
+
+=head1 SYNOPSIS
+
+ldapsearch.pl [options]
+
+ Options:
+   -h | --host       Nom d'hôte du serveur LDAP (par défaut: localhost)
+   -p | --port       Port du serveur LDAP (par défaut: 389)
+   -D | --binddn     DN pour se lier au serveur LDAP
+   -w | --password   Mot de passe pour l'authentification
+   -b | --base       DN de base pour la recherche
+   -s | --scope      Portée de la recherche: base, one, sub (par défaut: sub)
+   -f | --filter     Filtre LDAP pour la recherche (par défaut: (objectClass=*))
+   -a | --attrs      Attributs à récupérer (peut être utilisé plusieurs fois)
+   --help            Affiche ce message d'aide
+
+=head1 DESCRIPTION
+
+Ce script Perl imite le comportement de base de la commande ldapsearch.
+
+=cut
+
diff --git a/uwsgi-portal/install/usr/bin/_ldapsearch b/uwsgi-portal/install/usr/bin/_ldapsearch
new file mode 100755
index 0000000..630a69b
--- /dev/null
+++ b/uwsgi-portal/install/usr/bin/_ldapsearch
@@ -0,0 +1,98 @@
+#!/usr/bin/perl
+
+use strict;
+use warnings;
+use Net::LDAP;
+use Getopt::Long;
+use Pod::Usage;
+
+# Variables pour les options de ligne de commande
+my $host = 'localhost';
+my $port = 389;
+my $binddn;
+my $password;
+my $base;
+my $scope  = 'sub';               # sub, one, or base
+my $filter = '(objectClass=*)';
+my @attrs;
+my $url;
+my $help = 0;
+my $x;
+
+# Récupération des options
+GetOptions(
+    'x'            => \$x,
+    'h|host=s'     => \$host,
+    'H|url=s'      => \$url,
+    'p|port=i'     => \$port,
+    'D|binddn=s'   => \$binddn,
+    'w|password=s' => \$password,
+    'b|base=s'     => \$base,
+    's|scope=s'    => \$scope,
+    'f|filter=s'   => \$filter,
+    'a|attrs=s'    => \@attrs,
+    'help|?'       => \$help,
+) or pod2usage(2);
+
+pod2usage(1) if $help;
+
+$filter = shift if @ARGV;
+
+@attrs = @ARGV if ( @ARGV and !@attrs );
+
+# Connexion au serveur LDAP
+my $ldap = Net::LDAP->new( $url ? ($url) : ( $host, port => $port ) )
+  or die "Erreur de connexion à " . ( $url ? $url : "$host:$port" ) . " : $@";
+
+# Authentification
+if ( $binddn && $password ) {
+    my $mesg = $ldap->bind( $binddn, password => $password );
+    die "Erreur d'authentification: ", $mesg->error if $mesg->code;
+}
+
+# Recherche LDAP
+my $mesg = $ldap->search(
+    base   => $base,
+    scope  => $scope,
+    filter => $filter,
+    ( @attrs ? ( attrs => \@attrs ) : () ),
+);
+
+# Vérification des erreurs de recherche
+die "Erreur lors de la recherche: ", $mesg->error if $mesg->code;
+
+# Affichage des résultats
+foreach my $entry ( $mesg->entries ) {
+    $entry->dump;    # Affiche toutes les informations de l'entrée
+}
+
+# Fermeture de la connexion LDAP
+$ldap->unbind;
+
+__END__
+
+=head1 NAME
+
+ldapsearch.pl - Un utilitaire Perl qui imite ldapsearch
+
+=head1 SYNOPSIS
+
+ldapsearch.pl [options]
+
+ Options:
+   -h | --host       Nom d'hôte du serveur LDAP (par défaut: localhost)
+   -p | --port       Port du serveur LDAP (par défaut: 389)
+   -D | --binddn     DN pour se lier au serveur LDAP
+   -w | --password   Mot de passe pour l'authentification
+   -b | --base       DN de base pour la recherche
+   -s | --scope      Portée de la recherche: base, one, sub (par défaut: sub)
+   -f | --filter     Filtre LDAP pour la recherche (par défaut: (objectClass=*))
+   -a | --attrs      Attributs à récupérer (peut être utilisé plusieurs fois)
+   --help            Affiche ce message d'aide
+
+=head1 DESCRIPTION
+
+Ce script Perl imite le comportement de base de la commande ldapsearch.
+
+=cut
+

From f578e39e6d5800bd34f2ce2e9d0944584ffdb412 Mon Sep 17 00:00:00 2001
From: Yadd <yadd@debian.org>
Date: Thu, 29 Aug 2024 14:11:55 +0400
Subject: [PATCH 3/3] Update ch

---
 Changes.md | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/Changes.md b/Changes.md
index 7248d29..5c20104 100644
--- a/Changes.md
+++ b/Changes.md
@@ -1,5 +1,8 @@
 # Changes
 
+* 2024-08-29:
+  * Add security patch
+  * Add `_ldapsearch` command
 * 2024-08-22:
   * Add Mauritian Creole translation
   * Add `LANGUAGES` variable