Merge remote-tracking branch 'origin/dev' into permission_protection

README.md

@@ -1,7 +1,7 @@
 SSOwat
 ======
 
-A simple LDAP SSO for nginx, written in Lua
+A simple LDAP SSO for NGINX, written in Lua.
 
 <a href="https://translate.yunohost.org/engage/yunohost/?utm_source=widget">
 <img src="https://translate.yunohost.org/widgets/yunohost/-/287x66-white.png" alt="Translation status" />
@@ -10,25 +10,25 @@ A simple LDAP SSO for nginx, written in Lua
 Issues
 ------
 
-- [Please report issues on YunoHost bugtracker](https://github.com/YunoHost/issues).
+- [Please report issues to the YunoHost bugtracker](https://github.com/YunoHost/issues).
 
 Requirements
 ------------
 
-- Nginx-extras from Debian wheezy-backports
+- `nginx-extras` from Debian wheezy-backports
-- lua-json
+- `lua-json`
-- lua-ldap
+- `lua-ldap`
-- lua-filesystem
+- `lua-filesystem`
-- lua-socket
+- `lua-socket`
-- lua-rex-pcre
+- `lua-rex-pcre`
 
 **OR**
 
-- Nginx "Openresty" flavored : http://openresty.org/
+- "OpenResty" flavored NGINX: https://openresty.org/
-- lua-ldap
+- `lua-ldap`
-- lua-filesystem
+- `lua-filesystem`
-- lua-socket
+- `lua-socket`
-- lua-rex-pcre
+- `lua-rex-pcre`
 
 Installation
 ------------
@@ -40,10 +40,10 @@ git clone https://github.com/YunoHost/SSOwat /etc/ssowat
 ```
 
 
-Nginx configuration
+NGINX configuration
 -------------------
 
-* Add SSOwat's Nginx configuration (`http{}` scope)
+* Add SSOwat's NGINX configuration (`http{}` scope)
 
 ```bash
 nano /etc/nginx/conf.d/ssowat.conf
@@ -72,11 +72,11 @@ If you use YunoHost, you may want to edit the `/etc/ssowat/conf.json.persistent`
 
 ## Available parameters
 
-These are the SSOwat's configuration parameters. Only `portal_domain` is required, but it is recommended to know the others to fully understand what you can do with SSOwat.
+Only the `portal_domain` SSOwat configuration parameters is required, but it is recommended to know the others to fully understand what you can do with it.
 
 #### portal_domain
 
-Domain of the authentication portal. It has to be a domain, IP addresses will not work with SSOwat (**Required**)
+Domain of the authentication portal. It has to be a domain, IP addresses will not work with SSOwat (**Required**).
 
 #### portal_path
 
@@ -84,92 +84,92 @@ URI of the authentication portal (**default**: `/ssowat/`). This path **must** e
 
 #### portal_port
 
-Web port of the authentication portal (**default**: `443` for `https`, `80` for `http`)
+Web port of the authentication portal (**default**: `443` for `https`, `80` for `http`).
 
 #### portal_scheme
 
-Whether authentication should use secure connection or not (**default**: `https`)
+Whether authentication should use secure connection or not (**default**: `https`).
 
 #### domains
 
-List of handled domains (**default**: similar to `portal_domain`)
+List of handled domains (**default**: similar to `portal_domain`).
 
 #### ldap_host
 
-LDAP server hostname (**default**: `localhost`)
+LDAP server hostname (**default**: `localhost`).
 
 #### ldap_group
 
-LDAP group to search in (**default**: `ou=users,dc=yunohost,dc=org`)
+LDAP group to search in (**default**: `ou=users,dc=yunohost,dc=org`).
 
 #### ldap_identifier
 
-LDAP user identifier (**default**: `uid`)
+LDAP user identifier (**default**: `uid`).
 
 #### ldap_attributes
 
-User's attributes to fetch from LDAP (**default**: `["uid", "givenname", "sn", "cn", "homedirectory", "mail", "maildrop"]`)
+User's attributes to fetch from LDAP (**default**: `["uid", "givenname", "sn", "cn", "homedirectory", "mail", "maildrop"]`).
 
 #### ldap_enforce_crypt
 
-Let SSOwat re-encrypt weakly-encrypted LDAP passwords into the safer sha-512 (crypt) (**default**: `true`)
+Let SSOwat re-encrypt weakly-encrypted LDAP passwords into the safer sha-512 (crypt) (**default**: `true`).
 
 #### allow_mail_authentication
 
-Whether users can authenticate with their mail address (**default**: `true`)
+Whether users can authenticate with their mail address (**default**: `true`).
 
 #### login_arg
 
-URI argument to use for cross-domain authentication (**default**: `sso_login`)
+URI argument to use for cross-domain authentication (**default**: `sso_login`).
 
 #### additional_headers
 
-Array of additionnal HTTP headers to set once user is authenticated (**default**: `{ "Remote-User": "uid" }`)
+Array of additionnal HTTP headers to set once user is authenticated (**default**: `{ "Remote-User": "uid" }`).
 
 #### session_timeout
 
-The session expiracy time limit in seconds, since the last connection (**default**: `86400` / one day)
+The session expiracy time limit in seconds, since the last connection (**default**: `86400` / one day).
 
 #### session_max_timeout
 
-The session expiracy time limit in seconds (**default**: `604800` / one week)
+The session expiracy time limit in seconds (**default**: `604800` / one week).
 
 #### protected_urls
 
-List of priorily protected URLs and/or URIs (**by default, every URL is protected**)
+List of priorily protected URLs and/or URIs (**by default, every URL is protected**).
 
 #### protected_regex
 
-List of regular expressions to be matched against URLs **and** URIs to protect them
+List of regular expressions to be matched against URLs **and** URIs to protect them.
 
 #### skipped_urls
 
-List of URLs and/or URIs that will not be affected by SSOwat. This must be a JSON array, and SSOwat automatically adds itself to this array.
+List of URLs and/or URIs that will not be affected by SSOwat. This must be a JSON array, and SSOwat automatically adds itself to it.
 
 #### skipped_regex
 
-List of regular expressions to be matched against URLs **and** URIs to ignore them
+List of regular expressions to be matched against URLs **and** URIs to ignore them.
 
 #### unprotected_urls
 
-List of URLs and/or URIs that will not be affected by SSOwat **unless user is authenticated**
+List of URLs and/or URIs that will not be affected by SSOwat **unless a user is authenticated**.
 
 #### unprotected_regex
 
-List of regular expressions to be matched against URLs **and** URIs to ignore them **unless user is authenticated**
+List of regular expressions to be matched against URLs **and** URIs to ignore them **unless a user is authenticated**.
 
 #### redirected_urls
 
-Array of URLs and/or URIs to redirect and their redirect URI/URL (**example**: `{ "/": "example.org/subpath" }`)
+Array of URLs and/or URIs to redirect and their redirect URI/URL (**example**: `{ "/": "example.org/subpath" }`).
 
 #### redirected_regex
 
-Array of regular expressions to be matched against URLS **and** URIs and their redirect URI/URL (**example**: `{ "example.org/megusta$": "example.org/subpath" }`)
+Array of regular expressions to be matched against URLs **and** URIs and their redirect URI/URL (**example**: `{ "example.org/megusta$": "example.org/subpath" }`).
 
 #### users
 
-2-level array containing usernames and their allowed URLs along with an App name (**example**: `{ "kload": { "kload.fr/myapp/": "My App" } }`)
+2-level array containing usernames and their allowed URLs along with an app name (**example**: `{ "kload": { "kload.fr/myapp/": "My App" } }`).
 
 #### default_language
 
-Language code used by default in views (**default**: `en`)
+Language code used by default in views (**default**: `en`).

access.lua

@@ -284,7 +284,7 @@ end
 
 function scandir(directory, callback)
     -- use find (and not ls) to list only files recursively and with their full path relative to the asked directory
-    local pfile = io.popen('find "'..directory..'" -type f')
+    local pfile = io.popen('find "'..directory..'" -type f -exec realpath --relative-to "'..directory..'" {} \\;')
     for filename in pfile:lines() do
         callback(filename)
     end

config.lua

@@ -11,14 +11,18 @@ function get_config()
     -- Load the configuration file
     local conf_file = assert(io.open(conf_path, "r"), "Configuration file is missing")
     local conf = json.decode(conf_file:read("*all"))
-
+    if conf_file ~= nil then
+        conf_file:close()
+    end
 
     -- Load additional rules from the `.persistent` configuration file.
     -- The `.persistent` file contains rules that will overwrite previous rules.
     -- It typically enables you to set custom rules.
     local persistent_conf_file = io.open(conf_path..".persistent", "r")
     if persistent_conf_file ~= nil then
-        for k, v in pairs(json.decode(persistent_conf_file:read("*all"))) do
+        perm_conf = json.decode(persistent_conf_file:read("*all"))
+        persistent_conf_file:close()
+        for k, v in pairs(perm_conf) do
 
            -- If the configuration key already exists and is a table, merge it
            if conf[k] and type(v) == "table" then

debian/changelog

@@ -1,3 +1,41 @@
+ssowat (4.0.3) stable; urgency=low
+
+  - Bump version number for stable release
+
+ -- Alexandre Aubin <alex.aubin@mailoo.org>  Wed, 29 Jul 2020 17:00:00 +0200
+
+ssowat (4.0.2~beta) testing; urgency=low
+
+  - Rebase on stretch-unstable and bump vrsion number for beta
+
+ -- Alexandre Aubin <alex.aubin@mailoo.org>  Fri, 19 Jun 2020 15:29:05 +0200
+
+ssowat (4.0.1~alpha) testing; urgency=low
+
+  - Bump version number for buster release
+
+ -- Alexandre Aubin <alex.aubin@mailoo.org>  Fri, 05 Jun 2020 17:26:35 +0200
+
+ssowat (3.8.0.3) stable; urgency=low
+
+  - [enh] Allow the user's password manager to automatically enter the password/username/new-password (1dae6e8)
+  - [fix] Closing the files when we're done reading them ([#160](https://github.com/YunoHost/SSOwat/pull/160))
+  - [fix] Clear cookies more properly ([#163](https://github.com/YunoHost/SSOwat/pull/163))
+
+  Thanks to all contributors <3 ! (Bram, E. Counasse, Kay0u, SilverViper)
+
+ -- Alexandre Aubin <alex.aubin@mailoo.org>  Mon, 27 Jul 2020 17:50:44 +0200
+
+ssowat (3.8.0.2) stable; urgency=low
+
+  - [mod] Update author/maintainer information (6a14e78)
+  - [enh] README reworked (#165) (70c81c6)
+  - [fix] theme loading (#167, #168)
+
+  Thanks to all contributors <3 ! (Allan Nordhøy, Kay0u)
+
+ -- Alexandre Aubin <alex.aubin@mailoo.org>  Thu, 18 Jun 2020 16:10:00 +0200
+
 ssowat (3.8.0.1) stable; urgency=low
 
   - [i18n] Improved translations for Chinese (Simplified), Dutch, Greek, Nepali, Polish, Spanish

debian/control

@@ -1,14 +1,14 @@
 Source: ssowat
 Section: net
 Priority: extra
-Maintainer: Adrien Beudin <beudbeud@yunohost.org>
+Maintainer: YunoHost Contributors <contrib@yunohost.org>
 Build-Depends: debhelper (>=8.0.0)
 Standards-Version: 3.9.1
 
 Package: ssowat
 Architecture: all
 Depends: nginx-extras (>=1.6.2), lua-ldap, lua-json, lua-rex-pcre, whois
-Homepage: http://www.yunohost.org
+Homepage: https://yunohost.org
-Description: SSOWAT
+Description: user portal with single sign-on designed for Yunohost
- Websso for yunohost 
+ A minimalist user portal with single sign-on, designed to be
-
+ interfaced with Yunohost.

helpers.lua

@@ -179,7 +179,7 @@ function set_auth_cookie(user, domain)
                        "; Expires="..os.date("%a, %d %b %Y %X UTC", expire)..
                        "; Secure"..
                        "; HttpOnly"..
-                       "; SameSite=Lax ;;"
+                       "; SameSite=Lax"
 
     ngx.header["Set-Cookie"] = {
         "SSOwAuthUser="..user..cookie_str,
@@ -199,7 +199,7 @@ function delete_cookie()
                            "; Expires="..expired_time..
                            "; Secure"..
                            "; HttpOnly"..
-                           "; SameSite=Lax ;;"
+                           "; SameSite=Lax"
         ngx.header["Set-Cookie"] = {
             "SSOwAuthUser="..cookie_str,
             "SSOwAuthHash="..cookie_str,
@@ -216,8 +216,8 @@ function delete_redirect_cookie()
                        "; Expires="..expired_time..
                        "; Secure"..
                        "; HttpOnly"..
-                       "; SameSite=Lax ;;"
+                       "; SameSite=Lax"
-    ngx.header["Set-Cookie"] = "SSOwAuthRedirect=;" ..cookie_str
+    ngx.header["Set-Cookie"] = "SSOwAuthRedirect=" ..cookie_str
 end
 
 

portal/login.html

@@ -2,11 +2,11 @@
 <form class="login-form" name="input" action="" method="post">
   <div class="form-group">
     <label class="icon icon-user" for="user"><span class="element-invisible">{{t_username}}</span></label>
-    <input id="user" type="text" name="user" placeholder="{{t_username}}" class="form-text" autofocus required>
+    <input id="user" type="text" name="user" placeholder="{{t_username}}" class="form-text" autocomplete="username" autofocus required>
   </div>
   <div class="form-group">
     <label class="icon icon-lock" for="password"><span class="element-invisible">{{t_password}}</span></label>
-    <input id="password" type="password" name="password" placeholder="{{t_password}}" class="form-text" required>
+    <input id="password" type="password" name="password" placeholder="{{t_password}}" class="form-text" autocomplete="current-password" required>
   </div>
   <input type="submit" value="{{t_login}}" class="btn classic-btn large-btn">
 </form>

portal/password.html

@@ -20,14 +20,14 @@
     <div class="form-section">
       <div class="form-group">
         <label for="currentpassword">{{t_current_password}}</label>
-        <input type="password" class="form-text" id="currentpassword" name="currentpassword" placeholder="•••••" required>
+        <input type="password" class="form-text" id="currentpassword" name="currentpassword" placeholder="•••••" autocomplete="current-password" required>
       </div>
     </div>
     <div class="form-section">
       <div class="form-group">
         <label for="newpassword">{{t_new_password}}</label>
-        <input type="password" class="form-text" id="newpassword" name="newpassword" placeholder="•••••" required>
+        <input type="password" class="form-text" id="newpassword" name="newpassword" placeholder="•••••" autocomplete="new-password" required>
-        <input type="password" class="form-text" id="confirm" name="confirm" placeholder="{{t_confirm}}" required>
+        <input type="password" class="form-text" id="confirm" name="confirm" placeholder="{{t_confirm}}" autocomplete="new-password" required>
       </div>
       <div class="btn-group">
         <a role="button" href="portal.html" class="btn large-btn btn-default">{{t_cancel}}</a>