Bug#1036017: marked as done (unblock: lemonldap-ng/2.16.1+ds-2)

["Debian Bug Tracking System" <owner@bugs.debian.org>]

Your message dated Mon, 15 May 2023 20:27:23 +0000
with message-id <E1pyemx-002dwV-8J@respighi.debian.org>
and subject line unblock lemonldap-ng
has caused the Debian Bug report #1036017,
regarding unblock: lemonldap-ng/2.16.1+ds-2
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
1036017: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1036017
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems

--- Begin Message ---

• To: Debian Bug Tracking System <submit@bugs.debian.org>
• Subject: unblock: lemonldap-ng/2.16.1+ds-2
• From: Yadd <yadd@debian.org>
• Date: Sat, 13 May 2023 07:32:29 +0400
• Message-id: <[🔎] 168394874908.2290146.7147438326521509324.reportbug@debian007.xnr.fr>

Package: release.debian.org
Severity: normal
User: release.debian.org@packages.debian.org
Usertags: unblock
X-Debbugs-Cc: lemonldap-ng@packages.debian.org
Control: affects -1 + src:lemonldap-ng

Please unblock package lemonldap-ng

[ Reason ]
The change introduced in version 2.16.1 breaks the "viewer" (a secondary
component of lemonldap-ng which permits to give a read-only view to the
configuration.
Also there is a little security issue in OpenID-Connect dur to an
incorrect regexp.

[ Impact ]
- Regression in viewer
- Little security issue

[ Risks ]
No risk here:
 * the fix-OP-acr-parsing.patch is trivial
 * the fix-viewer-endpoint.patch is just a partial revert

[ Checklist ]
  [X] all changes are documented in the d/changelog
  [X] I reviewed all changes and I approve them
  [X] attach debdiff against the package in testing

Cheers,
Yadd

unblock lemonldap-ng/2.16.1+ds-2

diff --git a/debian/changelog b/debian/changelog
index 5799391bf..8de0d083f 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,10 @@
+lemonldap-ng (2.16.1+ds-2) unstable; urgency=medium
+
+  * Fix incorrect parsing of OP-provided acr
+  * Fix regression introduced in 2.16.1 that render viewer unusable
+
+ -- Yadd <yadd@debian.org>  Fri, 12 May 2023 21:10:49 +0400
+
 lemonldap-ng (2.16.1+ds-1) unstable; urgency=medium
 
   * Update debian/clean: clean sphynx lock
diff --git a/debian/patches/fix-OP-acr-parsing.patch b/debian/patches/fix-OP-acr-parsing.patch
new file mode 100644
index 000000000..92ba116f4
--- /dev/null
+++ b/debian/patches/fix-OP-acr-parsing.patch
@@ -0,0 +1,41 @@
+Description: fix incorrect parsing of OP-provided acr
+ Bug description:
+ .
+ * Configure Auth::OIDC with an OP that always returns acr: 1 in the ID token
+ * Set oidcOPMetaDataOptionsAcrValues to loa-1
+ ACR value 1 is accepted despite not being part of the list ['loa-1']
+ .
+ The problem is in this regexp:
+ .
+   unless ( $acr_values =~ /\b$acr\b/i ) {
+ .
+ because \b matches too many things (in the example: it matches -)
+Author: Maxime Besson <maxime.besson@worteks.com>
+Origin: upstream, commit: 3691978f
+Bug: https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/2875
+Forwarded: not-needed
+Applied-Upstream: 2.16.2, commit: 3691978f
+Reviewed-By: Yadd <yadd@debian.org>
+Last-Update: 2023-05-09
+
+--- a/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Lib/OpenIDConnect.pm
++++ b/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Lib/OpenIDConnect.pm
+@@ -803,7 +803,7 @@
+             $self->logger->error("ACR was not returned by OP $op");
+             return 0;
+         }
+-        unless ( $acr_values =~ /\b$acr\b/i ) {
++        unless ( grep { $_ eq $acr } split( /[\s,]+/, $acr_values ) ) {
+             $self->logger->error(
+                 "ACR $acr not listed in request ACR values ($acr_values)");
+             return 0;
+--- a/lemonldap-ng-portal/t/32-Auth-and-issuer-OIDC-authorization_code.t
++++ b/lemonldap-ng-portal/t/32-Auth-and-issuer-OIDC-authorization_code.t
+@@ -492,6 +492,7 @@
+                         oidcOPMetaDataOptionsCheckJWTSignature => 1,
+                         oidcOPMetaDataOptionsJWKSTimeout       => 0,
+                         oidcOPMetaDataOptionsClientSecret      => "rpsecret",
++                        oidcOPMetaDataOptionsAcrValues => "loa-32 customacr-1",
+                         oidcOPMetaDataOptionsScope => "openid profile email",
+                         oidcOPMetaDataOptionsStoreIDToken     => 0,
+                         oidcOPMetaDataOptionsMaxAge           => 30,
diff --git a/debian/patches/fix-viewer-endpoint.patch b/debian/patches/fix-viewer-endpoint.patch
new file mode 100644
index 000000000..9aaf6c59f
--- /dev/null
+++ b/debian/patches/fix-viewer-endpoint.patch
@@ -0,0 +1,46 @@
+Description: fix viewer endpoint
+ Regression introduced in 2.16.1
+Author: Maxime Besson <maxime.besson@worteks.com>
+Origin: upstream, commit:c330347f
+Bug: https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/2909
+Forwarded: not-needed
+Applied-Upstream: 2.16.2, commit:c330347f 
+Reviewed-By: Yadd <yadd@debian.org>
+Last-Update: 2023-05-09
+
+--- a/doc/sources/admin/viewer.rst
++++ b/doc/sources/admin/viewer.rst
+@@ -39,11 +39,11 @@
+     In Manager: \* Declare a Virtual Host : manager.example.com \* Set an
+     access rule for each enabled module :
+ 
+-    #. Configuration : ^/(.*?\.(fcgi|psgi)/)?(manager\.html|confs|$) = $uid
++    #. Configuration : ^/(.*?\.(fcgi|psgi)/)?(manager\.html|confs) = $uid
+        eq 'dwho'
+     #. Notifications : ^/(.*?\.(fcgi|psgi)/)?notifications = $uid eq 'dwho'
+     #. Sessions : ^/(.*?\.(fcgi|psgi)/)?sessions = $uid eq 'dwho'
+-    #. Viewer : ^/(.*?\.(fcgi|psgi)/)?viewer = $uid =~ /\b(?:dwho|rtyler)\b/
++    #. Viewer : ^/(.*?\.(fcgi|psgi)/)?view = $uid =~ /\b(?:dwho|rtyler)\b/
+     #. Default : $uid =~ /\b(?:dwho|rtyler)\b/
+ 
+ 
+--- a/lemonldap-ng-manager/site/coffee/viewer.coffee
++++ b/lemonldap-ng-manager/site/coffee/viewer.coffee
+@@ -260,7 +260,7 @@
+ 			$scope.waiting = true
+ 			console.log "Trying to get key #{node.cnodes}"
+ 			uri = encodeURI node.cnodes
+-			$http.get("#{window.confPrefix}#{$scope.currentCfg.cfgNum}/#{uri}").then (response) ->
++			$http.get("#{window.viewPrefix}#{$scope.currentCfg.cfgNum}/#{uri}").then (response) ->
+ 				data = response.data
+ 				# Manage datas errors
+ 				if not data
+@@ -368,7 +368,7 @@
+ 						uri = encodeURI node.get
+ 					else
+ 						console.log "Trying to get title #{node.title}"
+-					$http.get("#{window.confPrefix}#{$scope.currentCfg.cfgNum}/#{if node.get then uri else node.title}").then (response) ->
++					$http.get("#{window.viewPrefix}#{$scope.currentCfg.cfgNum}/#{if node.get then uri else node.title}").then (response) ->
+ 						# Set default value if response is null or if asked by server
+ 						data = response.data
+ 						if (data.value == null or (data.error and data.error.match /setDefault$/ ) ) and node['default'] != null
diff --git a/debian/patches/series b/debian/patches/series
index 5a6c603f7..0fe038944 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -3,3 +3,5 @@ Avoid-developer-tests.patch
 fix-for-pod2man.diff
 replace-api-doc-by-link.diff
 drop-network-test.patch
+fix-OP-acr-parsing.patch
+fix-viewer-endpoint.patch

--- End Message ---

--- Begin Message ---

• To: 1036017-done@bugs.debian.org
• Subject: unblock lemonldap-ng
• From: Sebastian Ramacher <sramacher@respighi.debian.org>
• Date: Mon, 15 May 2023 20:27:23 +0000
• Message-id: <E1pyemx-002dwV-8J@respighi.debian.org>

Unblocked.

--- End Message ---