Package: release.debian.org
Severity: normal
User: release.debian....@packages.debian.org
Usertags: unblock
X-Debbugs-Cc: lemonldap...@packages.debian.org
Control: affects -1 + src:lemonldap-ng
Please unblock package lemonldap-ng
[ Reason ]
The change introduced in version 2.16.1 breaks the "viewer" (a secondary
component of lemonldap-ng which permits to give a read-only view to the
configuration.
Also there is a little security issue in OpenID-Connect dur to an
incorrect regexp.
[ Impact ]
- Regression in viewer
- Little security issue
[ Risks ]
No risk here:
* the fix-OP-acr-parsing.patch is trivial
* the fix-viewer-endpoint.patch is just a partial revert
[ Checklist ]
[X] all changes are documented in the d/changelog
[X] I reviewed all changes and I approve them
[X] attach debdiff against the package in testing
Cheers,
Yadd
unblock lemonldap-ng/2.16.1+ds-2
diff --git a/debian/changelog b/debian/changelog
index 5799391bf..8de0d083f 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,10 @@
+lemonldap-ng (2.16.1+ds-2) unstable; urgency=medium
+
+ * Fix incorrect parsing of OP-provided acr
+ * Fix regression introduced in 2.16.1 that render viewer unusable
+
+ -- Yadd <y...@debian.org> Fri, 12 May 2023 21:10:49 +0400
+
lemonldap-ng (2.16.1+ds-1) unstable; urgency=medium
* Update debian/clean: clean sphynx lock
diff --git a/debian/patches/fix-OP-acr-parsing.patch
b/debian/patches/fix-OP-acr-parsing.patch
new file mode 100644
index 000000000..92ba116f4
--- /dev/null
+++ b/debian/patches/fix-OP-acr-parsing.patch
@@ -0,0 +1,41 @@
+Description: fix incorrect parsing of OP-provided acr
+ Bug description:
+ .
+ * Configure Auth::OIDC with an OP that always returns acr: 1 in the ID token
+ * Set oidcOPMetaDataOptionsAcrValues to loa-1
+ ACR value 1 is accepted despite not being part of the list ['loa-1']
+ .
+ The problem is in this regexp:
+ .
+ unless ( $acr_values =~ /\b$acr\b/i ) {
+ .
+ because \b matches too many things (in the example: it matches -)
+Author: Maxime Besson <maxime.bes...@worteks.com>
+Origin: upstream, commit: 3691978f
+Bug: https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/2875
+Forwarded: not-needed
+Applied-Upstream: 2.16.2, commit: 3691978f
+Reviewed-By: Yadd <y...@debian.org>
+Last-Update: 2023-05-09
+
+--- a/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Lib/OpenIDConnect.pm
++++ b/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Lib/OpenIDConnect.pm
+@@ -803,7 +803,7 @@
+ $self->logger->error("ACR was not returned by OP $op");
+ return 0;
+ }
+- unless ( $acr_values =~ /\b$acr\b/i ) {
++ unless ( grep { $_ eq $acr } split( /[\s,]+/, $acr_values ) ) {
+ $self->logger->error(
+ "ACR $acr not listed in request ACR values ($acr_values)");
+ return 0;
+--- a/lemonldap-ng-portal/t/32-Auth-and-issuer-OIDC-authorization_code.t
++++ b/lemonldap-ng-portal/t/32-Auth-and-issuer-OIDC-authorization_code.t
+@@ -492,6 +492,7 @@
+ oidcOPMetaDataOptionsCheckJWTSignature => 1,
+ oidcOPMetaDataOptionsJWKSTimeout => 0,
+ oidcOPMetaDataOptionsClientSecret => "rpsecret",
++ oidcOPMetaDataOptionsAcrValues => "loa-32
customacr-1",
+ oidcOPMetaDataOptionsScope => "openid profile email",
+ oidcOPMetaDataOptionsStoreIDToken => 0,
+ oidcOPMetaDataOptionsMaxAge => 30,
diff --git a/debian/patches/fix-viewer-endpoint.patch
b/debian/patches/fix-viewer-endpoint.patch
new file mode 100644
index 000000000..9aaf6c59f
--- /dev/null
+++ b/debian/patches/fix-viewer-endpoint.patch
@@ -0,0 +1,46 @@
+Description: fix viewer endpoint
+ Regression introduced in 2.16.1
+Author: Maxime Besson <maxime.bes...@worteks.com>
+Origin: upstream, commit:c330347f
+Bug: https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/2909
+Forwarded: not-needed
+Applied-Upstream: 2.16.2, commit:c330347f
+Reviewed-By: Yadd <y...@debian.org>
+Last-Update: 2023-05-09
+
+--- a/doc/sources/admin/viewer.rst
++++ b/doc/sources/admin/viewer.rst
+@@ -39,11 +39,11 @@
+ In Manager: \* Declare a Virtual Host : manager.example.com \* Set an
+ access rule for each enabled module :
+
+- #. Configuration : ^/(.*?\.(fcgi|psgi)/)?(manager\.html|confs|$) = $uid
++ #. Configuration : ^/(.*?\.(fcgi|psgi)/)?(manager\.html|confs) = $uid
+ eq 'dwho'
+ #. Notifications : ^/(.*?\.(fcgi|psgi)/)?notifications = $uid eq 'dwho'
+ #. Sessions : ^/(.*?\.(fcgi|psgi)/)?sessions = $uid eq 'dwho'
+- #. Viewer : ^/(.*?\.(fcgi|psgi)/)?viewer = $uid =~ /\b(?:dwho|rtyler)\b/
++ #. Viewer : ^/(.*?\.(fcgi|psgi)/)?view = $uid =~ /\b(?:dwho|rtyler)\b/
+ #. Default : $uid =~ /\b(?:dwho|rtyler)\b/
+
+
+--- a/lemonldap-ng-manager/site/coffee/viewer.coffee
++++ b/lemonldap-ng-manager/site/coffee/viewer.coffee
+@@ -260,7 +260,7 @@
+ $scope.waiting = true
+ console.log "Trying to get key #{node.cnodes}"
+ uri = encodeURI node.cnodes
+-
$http.get("#{window.confPrefix}#{$scope.currentCfg.cfgNum}/#{uri}").then
(response) ->
++
$http.get("#{window.viewPrefix}#{$scope.currentCfg.cfgNum}/#{uri}").then
(response) ->
+ data = response.data
+ # Manage datas errors
+ if not data
+@@ -368,7 +368,7 @@
+ uri = encodeURI node.get
+ else
+ console.log "Trying to get
title #{node.title}"
+-
$http.get("#{window.confPrefix}#{$scope.currentCfg.cfgNum}/#{if node.get then
uri else node.title}").then (response) ->
++
$http.get("#{window.viewPrefix}#{$scope.currentCfg.cfgNum}/#{if node.get then
uri else node.title}").then (response) ->
+ # Set default value if response
is null or if asked by server
+ data = response.data
+ if (data.value == null or
(data.error and data.error.match /setDefault$/ ) ) and node['default'] != null
diff --git a/debian/patches/series b/debian/patches/series
index 5a6c603f7..0fe038944 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -3,3 +3,5 @@ Avoid-developer-tests.patch
fix-for-pod2man.diff
replace-api-doc-by-link.diff
drop-network-test.patch
+fix-OP-acr-parsing.patch
+fix-viewer-endpoint.patch
