Your message dated Mon, 15 May 2023 20:27:23 +0000
with message-id <[email protected]>
and subject line unblock lemonldap-ng
has caused the Debian Bug report #1036017,
regarding unblock: lemonldap-ng/2.16.1+ds-2
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
1036017: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1036017
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: release.debian.org
Severity: normal
User: [email protected]
Usertags: unblock
X-Debbugs-Cc: [email protected]
Control: affects -1 + src:lemonldap-ng
Please unblock package lemonldap-ng
[ Reason ]
The change introduced in version 2.16.1 breaks the "viewer" (a secondary
component of lemonldap-ng which permits to give a read-only view to the
configuration.
Also there is a little security issue in OpenID-Connect dur to an
incorrect regexp.
[ Impact ]
- Regression in viewer
- Little security issue
[ Risks ]
No risk here:
* the fix-OP-acr-parsing.patch is trivial
* the fix-viewer-endpoint.patch is just a partial revert
[ Checklist ]
[X] all changes are documented in the d/changelog
[X] I reviewed all changes and I approve them
[X] attach debdiff against the package in testing
Cheers,
Yadd
unblock lemonldap-ng/2.16.1+ds-2
diff --git a/debian/changelog b/debian/changelog
index 5799391bf..8de0d083f 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,10 @@
+lemonldap-ng (2.16.1+ds-2) unstable; urgency=medium
+
+ * Fix incorrect parsing of OP-provided acr
+ * Fix regression introduced in 2.16.1 that render viewer unusable
+
+ -- Yadd <[email protected]> Fri, 12 May 2023 21:10:49 +0400
+
lemonldap-ng (2.16.1+ds-1) unstable; urgency=medium
* Update debian/clean: clean sphynx lock
diff --git a/debian/patches/fix-OP-acr-parsing.patch
b/debian/patches/fix-OP-acr-parsing.patch
new file mode 100644
index 000000000..92ba116f4
--- /dev/null
+++ b/debian/patches/fix-OP-acr-parsing.patch
@@ -0,0 +1,41 @@
+Description: fix incorrect parsing of OP-provided acr
+ Bug description:
+ .
+ * Configure Auth::OIDC with an OP that always returns acr: 1 in the ID token
+ * Set oidcOPMetaDataOptionsAcrValues to loa-1
+ ACR value 1 is accepted despite not being part of the list ['loa-1']
+ .
+ The problem is in this regexp:
+ .
+ unless ( $acr_values =~ /\b$acr\b/i ) {
+ .
+ because \b matches too many things (in the example: it matches -)
+Author: Maxime Besson <[email protected]>
+Origin: upstream, commit: 3691978f
+Bug: https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/2875
+Forwarded: not-needed
+Applied-Upstream: 2.16.2, commit: 3691978f
+Reviewed-By: Yadd <[email protected]>
+Last-Update: 2023-05-09
+
+--- a/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Lib/OpenIDConnect.pm
++++ b/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Lib/OpenIDConnect.pm
+@@ -803,7 +803,7 @@
+ $self->logger->error("ACR was not returned by OP $op");
+ return 0;
+ }
+- unless ( $acr_values =~ /\b$acr\b/i ) {
++ unless ( grep { $_ eq $acr } split( /[\s,]+/, $acr_values ) ) {
+ $self->logger->error(
+ "ACR $acr not listed in request ACR values ($acr_values)");
+ return 0;
+--- a/lemonldap-ng-portal/t/32-Auth-and-issuer-OIDC-authorization_code.t
++++ b/lemonldap-ng-portal/t/32-Auth-and-issuer-OIDC-authorization_code.t
+@@ -492,6 +492,7 @@
+ oidcOPMetaDataOptionsCheckJWTSignature => 1,
+ oidcOPMetaDataOptionsJWKSTimeout => 0,
+ oidcOPMetaDataOptionsClientSecret => "rpsecret",
++ oidcOPMetaDataOptionsAcrValues => "loa-32
customacr-1",
+ oidcOPMetaDataOptionsScope => "openid profile email",
+ oidcOPMetaDataOptionsStoreIDToken => 0,
+ oidcOPMetaDataOptionsMaxAge => 30,
diff --git a/debian/patches/fix-viewer-endpoint.patch
b/debian/patches/fix-viewer-endpoint.patch
new file mode 100644
index 000000000..9aaf6c59f
--- /dev/null
+++ b/debian/patches/fix-viewer-endpoint.patch
@@ -0,0 +1,46 @@
+Description: fix viewer endpoint
+ Regression introduced in 2.16.1
+Author: Maxime Besson <[email protected]>
+Origin: upstream, commit:c330347f
+Bug: https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/2909
+Forwarded: not-needed
+Applied-Upstream: 2.16.2, commit:c330347f
+Reviewed-By: Yadd <[email protected]>
+Last-Update: 2023-05-09
+
+--- a/doc/sources/admin/viewer.rst
++++ b/doc/sources/admin/viewer.rst
+@@ -39,11 +39,11 @@
+ In Manager: \* Declare a Virtual Host : manager.example.com \* Set an
+ access rule for each enabled module :
+
+- #. Configuration : ^/(.*?\.(fcgi|psgi)/)?(manager\.html|confs|$) = $uid
++ #. Configuration : ^/(.*?\.(fcgi|psgi)/)?(manager\.html|confs) = $uid
+ eq 'dwho'
+ #. Notifications : ^/(.*?\.(fcgi|psgi)/)?notifications = $uid eq 'dwho'
+ #. Sessions : ^/(.*?\.(fcgi|psgi)/)?sessions = $uid eq 'dwho'
+- #. Viewer : ^/(.*?\.(fcgi|psgi)/)?viewer = $uid =~ /\b(?:dwho|rtyler)\b/
++ #. Viewer : ^/(.*?\.(fcgi|psgi)/)?view = $uid =~ /\b(?:dwho|rtyler)\b/
+ #. Default : $uid =~ /\b(?:dwho|rtyler)\b/
+
+
+--- a/lemonldap-ng-manager/site/coffee/viewer.coffee
++++ b/lemonldap-ng-manager/site/coffee/viewer.coffee
+@@ -260,7 +260,7 @@
+ $scope.waiting = true
+ console.log "Trying to get key #{node.cnodes}"
+ uri = encodeURI node.cnodes
+-
$http.get("#{window.confPrefix}#{$scope.currentCfg.cfgNum}/#{uri}").then
(response) ->
++
$http.get("#{window.viewPrefix}#{$scope.currentCfg.cfgNum}/#{uri}").then
(response) ->
+ data = response.data
+ # Manage datas errors
+ if not data
+@@ -368,7 +368,7 @@
+ uri = encodeURI node.get
+ else
+ console.log "Trying to get
title #{node.title}"
+-
$http.get("#{window.confPrefix}#{$scope.currentCfg.cfgNum}/#{if node.get then
uri else node.title}").then (response) ->
++
$http.get("#{window.viewPrefix}#{$scope.currentCfg.cfgNum}/#{if node.get then
uri else node.title}").then (response) ->
+ # Set default value if response
is null or if asked by server
+ data = response.data
+ if (data.value == null or
(data.error and data.error.match /setDefault$/ ) ) and node['default'] != null
diff --git a/debian/patches/series b/debian/patches/series
index 5a6c603f7..0fe038944 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -3,3 +3,5 @@ Avoid-developer-tests.patch
fix-for-pod2man.diff
replace-api-doc-by-link.diff
drop-network-test.patch
+fix-OP-acr-parsing.patch
+fix-viewer-endpoint.patch
--- End Message ---
--- Begin Message ---
Unblocked.
--- End Message ---
