From: FusionDirectory Packagers Date: Thu, 11 Jul 2024 17:52:17 +0000 Subject: Backport changes required for newer php-cas API Origin: https://github.com/fusiondirectory/fusiondirectory/commit/299a320a7fe905402aea85b899dbd5a9cab9324c Origin: https://github.com/fusiondirectory/fusiondirectory/commit/7ded986a5f5aabe2670cd176caeb9d76f8555dca Origin: https://github.com/fusiondirectory/fusiondirectory/commit/39019502aa36b211aa283fac3b922c3806c2fef5 Last-Update: 2023-06-27 To adress CVE-2022-39369, php-cas needs an API change. This patches backports the required upstream changes to the buster version. The patch also adds the switch for php-cas verbose mode, for better troubleshooting. Last-Update: 2023-06-27 --- core/contrib/openldap/core-fd-conf.schema | 21 ++++++++++++- core/html/index.php | 49 ++++++++++++++++++++++++------ core/plugins/config/class_configInLdap.inc | 29 +++++++++++++++++- 3 files changed, 87 insertions(+), 12 deletions(-) diff --git a/core/contrib/openldap/core-fd-conf.schema b/core/contrib/openldap/core-fd-conf.schema index 840d1ff..8edcc20 100644 --- a/core/contrib/openldap/core-fd-conf.schema +++ b/core/contrib/openldap/core-fd-conf.schema @@ -452,6 +452,25 @@ attributetype ( 1.3.6.1.4.1.38414.8.21.5 NAME 'fdCasContext' SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE) +attributetype ( 1.3.6.1.4.1.38414.8.21.6 NAME 'fdCasVerbose' + DESC 'FusionDirectory - CAS verbose flag' + EQUALITY booleanMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 + SINGLE-VALUE ) + +attributetype ( 1.3.6.1.4.1.38414.8.21.7 NAME 'fdCasLibraryBool' + DESC 'FusionDirectory - CAS boolean to activate CAS library >= 1.6' + EQUALITY booleanMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 + SINGLE-VALUE ) + +attributetype ( 1.3.6.1.4.1.38414.8.21.8 NAME 'fdCasClientServiceName' + DESC 'FusionDirectory - CAS client service name' + EQUALITY caseExactIA5Match + SUBSTR caseExactIA5SubstringsMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 + SINGLE-VALUE) + # merged from dashboard-fd.schema - Needed by Fusion Directory for dashboard options attributetype ( 1.3.6.1.4.1.38414.27.1.1 NAME 'fdDashboardPrefix' @@ -563,7 +582,7 @@ objectclass ( 1.3.6.1.4.1.38414.8.2.1 NAME 'fusionDirectoryConf' fdPluginsMenuBlacklist $ fdAclTabOnObjects $ fdDepartmentCategories $ fdSslCaCertPath $ fdSslKeyPath $ fdSslCertPath $ - fdCasActivated $ fdCasServerCaCertPath $ fdCasHost $ fdCasPort $ fdCasContext + fdCasActivated $ fdCasServerCaCertPath $ fdCasHost $ fdCasPort $ fdCasContext $ fdCasVerbose $fdCasLibraryBool $ fdCasClientServiceName ) ) objectclass ( 1.3.6.1.4.1.38414.8.2.2 NAME 'fusionDirectoryPluginsConf' diff --git a/core/html/index.php b/core/html/index.php index 38918fb..8a8dfcb 100644 --- a/core/html/index.php +++ b/core/html/index.php @@ -121,13 +121,29 @@ if (isset($_REQUEST['signout']) && $_REQUEST['signout']) { /* Move FD autoload after CAS autoload */ spl_autoload_unregister('__fusiondirectory_autoload'); spl_autoload_register('__fusiondirectory_autoload'); + + if ($config->get_cfg_value('CasVerbose') == 'TRUE') { + phpCAS::setVerbose(TRUE); + } + + // Initialize CAS with proper library and call. + if ($config->get_cfg_value('CasLibraryBool') === 'TRUE') { phpCAS::client( CAS_VERSION_2_0, $config->get_cfg_value('casHost', 'localhost'), - (int)($config->get_cfg_value('casPort', 443)), - $config->get_cfg_value('casContext', '') + (int) ($config->get_cfg_value('casPort', 443)), + $config->get_cfg_value('casContext'), + $config->get_cfg_value('CasClientServiceName') ); - // Set the CA certificate that is the issuer of the cert + } else { + phpCAS::client( + CAS_VERSION_2_0, + $config->get_cfg_value('casHost', 'localhost'), + (int) ($config->get_cfg_value('casPort', 443)), + $config->get_cfg_value('casContext') + ); + } + phpCAS::setCasServerCACert($config->get_cfg_value('casServerCaCertPath')); phpCas::logout(); } @@ -518,14 +534,27 @@ class Index { $message = ''; //~ phpCAS::setDebug(); - + if ($config->get_cfg_value('CasVerbose') == 'TRUE') { + phpCAS::setVerbose(TRUE); + } + // Initialize phpCAS - phpCAS::client( - CAS_VERSION_2_0, - $config->get_cfg_value('casHost', 'localhost'), - (int)($config->get_cfg_value('casPort', 443)), - $config->get_cfg_value('casContext', '') - ); + if ($config->get_cfg_value('CasLibraryBool') === 'TRUE') { + phpCAS::client( + CAS_VERSION_2_0, + $config->get_cfg_value('casHost', 'localhost'), + (int) ($config->get_cfg_value('casPort', 443)), + $config->get_cfg_value('casContext'), + $config->get_cfg_value('CasClientServiceName') + ); + } else { + phpCAS::client( + CAS_VERSION_2_0, + $config->get_cfg_value('casHost', 'localhost'), + (int) ($config->get_cfg_value('casPort', 443)), + $config->get_cfg_value('casContext') + ); + } // Set the CA certificate that is the issuer of the cert phpCAS::setCasServerCACert($config->get_cfg_value('casServerCaCertPath')); diff --git a/core/plugins/config/class_configInLdap.inc b/core/plugins/config/class_configInLdap.inc index 5f19db7..fe9545c 100644 --- a/core/plugins/config/class_configInLdap.inc +++ b/core/plugins/config/class_configInLdap.inc @@ -277,6 +277,18 @@ class configInLdap extends simplePlugin 'fdCasContext', FALSE, '/cas' ), + new BooleanAttribute( + _('Verbose error'), _('Activate verbose errors in phpCAS. Avoid in production.'), + 'fdCasVerbose', FALSE + ), + new BooleanAttribute( + _('Library CAS 1.6'), _('Activate if library CAS >= 1.6 is being used.'), + 'fdCasLibraryBool', FALSE + ), + new StringAttribute( + _('Client service'), _('The client service name'), + 'fdCasClientServiceName', FALSE + ), ) ), 'people_and_group' => array( @@ -548,6 +560,9 @@ class configInLdap extends simplePlugin 'fdCasHost', 'fdCasPort', 'fdCasContext', + 'fdCasVerbose', + 'fdCasClientServiceName', + 'fdCasLibraryBool' ) ) ) @@ -570,7 +585,19 @@ class configInLdap extends simplePlugin ) ) ); - } + + // CAS boolean case to allow the use of CAS library >= 1.6 + + $this->attributesAccess['fdCasLibraryBool']->setManagedAttributes( + array( + 'disable' => array ( + FALSE => array ( + 'fdCasClientServiceName', + ) + ) + ) + ); +} function compute_dn() {