Update oidc patch

guimard · Jan 12, 2025 · f2a5e10 · f2a5e10
1 parent 9616c83
commit f2a5e10
Show file tree

Hide file tree

Showing 12 changed files with 348 additions and 564 deletions.
diff --git a/base-no-s6/Dockerfile b/base-no-s6/Dockerfile
@@ -82,6 +82,7 @@ RUN echo "# Install packages from ${DEBIAN_VERSION} (${LLNGDIST})" && \
     perl -000 -MJSON -i -ne '$_=JSON::from_json($_);$_->{reloadUrls}={};print JSON->new->pretty->canonical->encode($_)' /var/lib/lemonldap-ng/conf/lmConf-1.json && \
     perl -i -pe 's/\r//g' /usr/share/perl5/Lemonldap/NG/Common/Conf/DefaultValues.pm && \
     echo "patch no-none.patch" && patch -p1 <no-none.patch && \
+    echo "patch oidc-op-claims.patch" && patch -p1 <oidc-op-claims.patch && \
     rm -f *.patch
 
 #COPY syslogopt.patch .

diff --git a/base-no-s6/oidc-op-claims.patch b/base-no-s6/oidc-op-claims.patch
@@ -0,0 +1,14 @@
+--- a/usr/share/perl5/Lemonldap/NG/Common/JWT.pm
++++ b/usr/share/perl5/Lemonldap/NG/Common/JWT.pm
+@@ -40,9 +40,9 @@ sub getAccessTokenSessionId {
+ sub getJWTPart {
+     my ( $jwt, $part ) = @_;
+     my @jwt_parts = split( /\./, $jwt );
+-    my $data      = decode_base64url( $jwt_parts[$part] );
++    return undef unless @jwt_parts > 1;
+     my $json_hash;
+-    eval { $json_hash = from_json($data); };
++    eval { $json_hash = from_json( decode_base64url( $jwt_parts[$part] ) ); };
+     return undef if ($@);
+     return $json_hash;
+ }
diff --git a/base/Dockerfile b/base/Dockerfile
@@ -94,6 +94,7 @@ RUN echo "# Install packages from ${DEBIAN_VERSION} (${LLNGDIST})" && \
     perl -000 -MJSON -i -ne '$_=JSON::from_json($_);$_->{reloadUrls}={};print JSON->new->pretty->canonical->encode($_)' /var/lib/lemonldap-ng/conf/lmConf-1.json && \
     perl -i -pe 's/\r//g' /usr/share/perl5/Lemonldap/NG/Common/Conf/DefaultValues.pm && \
     echo "patch no-none.patch" && patch -p1 <no-none.patch && \
+    echo "patch oidc-op-claims.patch" && patch -p1 <oidc-op-claims.patch && \
     rm -f *.patch
 
 #COPY syslogopt.patch .

diff --git a/base/oidc-op-claims.patch b/base/oidc-op-claims.patch
@@ -0,0 +1,14 @@
+--- a/usr/share/perl5/Lemonldap/NG/Common/JWT.pm
++++ b/usr/share/perl5/Lemonldap/NG/Common/JWT.pm
+@@ -40,9 +40,9 @@ sub getAccessTokenSessionId {
+ sub getJWTPart {
+     my ( $jwt, $part ) = @_;
+     my @jwt_parts = split( /\./, $jwt );
+-    my $data      = decode_base64url( $jwt_parts[$part] );
++    return undef unless @jwt_parts > 1;
+     my $json_hash;
+-    eval { $json_hash = from_json($data); };
++    eval { $json_hash = from_json( decode_base64url( $jwt_parts[$part] ) ); };
+     return undef if ($@);
+     return $json_hash;
+ }
diff --git a/full/install/etc/lemonldap-ng/manager-nginx.conf b/full/install/etc/lemonldap-ng/manager-nginx.conf
@@ -48,16 +48,20 @@ server {
   location /doc/ {
     alias __DEFDOCDIR__;
     index index.html start.html;
+    add_header Cache-Control "public";
   }
   location /lib/ {
     alias __DEFDOCDIR__pages/documentation/current/lib/;
+    add_header Cache-Control "public";
   }
   location /static/ {
     alias __MANAGERSTATICDIR__;
+    add_header Cache-Control "public";
   }
 
   location /javascript/ {
     alias /usr/share/javascript/;
+    add_header Cache-Control "public";
   }
 
 }
diff --git a/full/oidc-op-claims.patch b/full/oidc-op-claims.patch
diff --git a/manager/install/etc/lemonldap-ng/manager-nginx.conf b/manager/install/etc/lemonldap-ng/manager-nginx.conf
@@ -48,16 +48,20 @@ server {
   location /doc/ {
     alias __DEFDOCDIR__;
     index index.html start.html;
+    add_header Cache-Control "public";
   }
   location /lib/ {
     alias __DEFDOCDIR__pages/documentation/current/lib/;
+    add_header Cache-Control "public";
   }
   location /static/ {
     alias __MANAGERSTATICDIR__;
+    add_header Cache-Control "public";
   }
 
   location /javascript/ {
     alias /usr/share/javascript/;
+    add_header Cache-Control "public";
   }
 
 }
diff --git a/manager/oidc-op-claims.patch b/manager/oidc-op-claims.patch
diff --git a/portal/install/etc/lemonldap-ng/portal-nginx.conf b/portal/install/etc/lemonldap-ng/portal-nginx.conf
@@ -98,9 +98,11 @@ server {
 
   location /static/ {
     alias __PORTALSTATICDIR__;
+    add_header Cache-Control "public";
   }
 
   location /javascript/ {
     alias /usr/share/javascript/;
+    add_header Cache-Control "public";
   }
 }
diff --git a/portal/oidc-op-claims.patch b/portal/oidc-op-claims.patch
@@ -1,29 +1,43 @@
 --- a/usr/share/perl5/Lemonldap/NG/Portal/UserDB/OpenIDConnect.pm
 +++ b/usr/share/perl5/Lemonldap/NG/Portal/UserDB/OpenIDConnect.pm
-@@ -42,7 +42,27 @@ sub getUser {
+@@ -2,6 +2,7 @@ package Lemonldap::NG::Portal::UserDB::OpenIDConnect;
+
+ use strict;
+ use Mouse;
++use Lemonldap::NG::Common::JWT 'getJWTPayload';
+ use Lemonldap::NG::Portal::Main::Constants qw(
+   PE_OIDC_AUTH_ERROR
+   PE_BADCREDENTIALS
+@@ -42,7 +43,33 @@ sub getUser {
          return PE_ERROR;
      }
 
 -    my $userinfo_content = $self->getUserInfo( $op, $access_token );
 +    my $userinfo_content;
-+    if ( $self->opOptions->{$op}->{oidcOPMetaDataOptionsIDTokenForceClaims} ) {
-+        my ( undef, $tmp, undef ) = split /\./, $req->data->{id_token};
-+        $userinfo_content =
-+          eval { JSON::from_json( MIME::Base64::decode_base64url($tmp) ) };
-+        $self->logger->error("Unable to read ID token content: $@") if ($@);
++    my $source = $self->opOptions->{$op}->{oidcOPMetaDataOptionsUserinfoSource}
++      || 'userinfo';
++    if ( $source eq 'id_token' ) {
++        $userinfo_content = getJWTPayload( $req->data->{id_token} );
++        $self->logger->error(
++            "Unable to read ID token content: " . $req->data->{id_token} )
++          unless ($userinfo_content);
 +    }
-+    if ( $self->opOptions->{$op}->{oidcOPMetaDataOptionsAccessTokenClaims} ) {
-+        my ( undef, $tmp, undef ) = split /\./, $req->data->{access_token};
-+        eval {
-+            $tmp = JSON::from_json( MIME::Base64::decode_base64url($tmp) );
-+            $userinfo_content =
-+              $userinfo_content
-+              ? { %{ $userinfo_content || {} }, %{ $tmp || {} } }
-+              : $tmp;
-+        };
-+        $self->logger->error("Unable to read ID token content: $@") if ($@);
++    elsif ( $source eq 'access_token' ) {
++        my $tmp = getJWTPayload($access_token);
++        if ($tmp) {
++            $userinfo_content = { %{ $userinfo_content || {} }, %$tmp };
++        }
++        else {
++            $self->logger->error(
++                "Unable to read ID token content: $access_token");
++        }
 +    }
 +    unless ($userinfo_content) {
++        unless ( $source eq 'userinfo' ) {
++            $self->logger->error(
++                "Failed to get user info from $source, trying userinfo endpoint"
++            );
++        }
 +        $userinfo_content = $self->getUserInfo( $op, $access_token );
 +    }
 

diff --git a/uwsgi-portal/install/etc/lemonldap-ng/portal-nginx.conf b/uwsgi-portal/install/etc/lemonldap-ng/portal-nginx.conf
@@ -100,9 +100,11 @@ server {
 
   location /static/ {
     alias __PORTALSTATICDIR__;
+    add_header Cache-Control "public";
   }
 
   location /javascript/ {
     alias /usr/share/javascript/;
+    add_header Cache-Control "public";
   }
 }
diff --git a/uwsgi-portal/oidc-op-claims.patch b/uwsgi-portal/oidc-op-claims.patch
@@ -1,29 +1,43 @@
 --- a/usr/share/perl5/Lemonldap/NG/Portal/UserDB/OpenIDConnect.pm
 +++ b/usr/share/perl5/Lemonldap/NG/Portal/UserDB/OpenIDConnect.pm
-@@ -42,7 +42,27 @@ sub getUser {
+@@ -2,6 +2,7 @@ package Lemonldap::NG::Portal::UserDB::OpenIDConnect;
+
+ use strict;
+ use Mouse;
++use Lemonldap::NG::Common::JWT 'getJWTPayload';
+ use Lemonldap::NG::Portal::Main::Constants qw(
+   PE_OIDC_AUTH_ERROR
+   PE_BADCREDENTIALS
+@@ -42,7 +43,33 @@ sub getUser {
          return PE_ERROR;
      }
 
 -    my $userinfo_content = $self->getUserInfo( $op, $access_token );
 +    my $userinfo_content;
-+    if ( $self->opOptions->{$op}->{oidcOPMetaDataOptionsIDTokenForceClaims} ) {
-+        my ( undef, $tmp, undef ) = split /\./, $req->data->{id_token};
-+        $userinfo_content =
-+          eval { JSON::from_json( MIME::Base64::decode_base64url($tmp) ) };
-+        $self->logger->error("Unable to read ID token content: $@") if ($@);
++    my $source = $self->opOptions->{$op}->{oidcOPMetaDataOptionsUserinfoSource}
++      || 'userinfo';
++    if ( $source eq 'id_token' ) {
++        $userinfo_content = getJWTPayload( $req->data->{id_token} );
++        $self->logger->error(
++            "Unable to read ID token content: " . $req->data->{id_token} )
++          unless ($userinfo_content);
 +    }
-+    if ( $self->opOptions->{$op}->{oidcOPMetaDataOptionsAccessTokenClaims} ) {
-+        my ( undef, $tmp, undef ) = split /\./, $req->data->{access_token};
-+        eval {
-+            $tmp = JSON::from_json( MIME::Base64::decode_base64url($tmp) );
-+            $userinfo_content =
-+              $userinfo_content
-+              ? { %{ $userinfo_content || {} }, %{ $tmp || {} } }
-+              : $tmp;
-+        };
-+        $self->logger->error("Unable to read ID token content: $@") if ($@);
++    elsif ( $source eq 'access_token' ) {
++        my $tmp = getJWTPayload($access_token);
++        if ($tmp) {
++            $userinfo_content = { %{ $userinfo_content || {} }, %$tmp };
++        }
++        else {
++            $self->logger->error(
++                "Unable to read ID token content: $access_token");
++        }
 +    }
 +    unless ($userinfo_content) {
++        unless ( $source eq 'userinfo' ) {
++            $self->logger->error(
++                "Failed to get user info from $source, trying userinfo endpoint"
++            );
++        }
 +        $userinfo_content = $self->getUserInfo( $op, $access_token );
 +    }