Merge branch 'develop' into staging

Replace header with nicer values

Makefile

@@ -4,8 +4,8 @@
 
 SOURCE=eole-lemonldap
 VERSION=0.1
-EOLE_VERSION=2.6
-EOLE_RELEASE=2.6.2
+EOLE_VERSION=2.7
+EOLE_RELEASE=2.7.2
 PKGAPPS=non
 #FLASK_MODULE=<APPLICATION>
 

README.md

@@ -12,12 +12,12 @@ GenConfig -> Mode Expert -> Dépôts tiers -> Libellé du dépôt
 
 #### LemonLDAP::NG repository
  
-* deb     https://lemonldap-ng.org/deb stable main
-* deb-src https://lemonldap-ng.org/deb stable main
+* deb     https://lemonldap-ng.org/deb 1.9 main
+* deb-src https://lemonldap-ng.org/deb 1.9 main
 * Key URL : https://lemonldap-ng.org/_media/rpm-gpg-key-ow2 
 
 #### Cadoles Repository
-* deb [ arch=all  ] https://vulcain.cadoles.com 2.6.2-dev main
+* deb [ arch=all  ] https://vulcain.cadoles.com 2.7.2-dev main
 * Key URL : https://vulcain.cadoles.com/cadoles.gpg
 
 ### Install packages

dicos/70_lemonldap_ng.xml

@@ -8,6 +8,7 @@
 		<file filelist='lemon' name='/etc/lemonldap-ng/test-nginx.conf' mkdir='True' rm='True'/>
 		<file filelist='lemon' name='/etc/lemonldap-ng/lemonldap-ng.ini' mkdir='True' rm='True'/>
 		<file filelist='lemon' name='/var/lib/lemonldap-ng/conf/lmConf-1.json' mkdir='True' rm='True'/>
+        <file filelist='lemon' name='/etc/default/lemonldap-ng-fastcgi-server' mkdir='True' rm='True'/>
 		<file filelist='lemonCAS' name='/usr/share/php/configCAS/cas.inc.php' source='cas.inc.php.tmpl' mkdir='True'/>
 		<file filelist='lemonCAS' name='/usr/share/php/CAS/eoleCASConfig.php' source='eoleCASConfig.php.tmpl' mkdir='True'/>
 		<file filelist='lemonCAS' name='/etc/pam_cas.conf' source="pam_cas_auth.conf"/>
@@ -34,6 +35,10 @@
 			<variable name='ldapBindUserDN' type='string' description="Utilisateur de connection à l'annuaire" mandatory="True"/>
 			<variable name='ldapBindUserPassword' type='string' description="Mot de passe de l'utilisateur de connection à l'annuaire" mandatory="True"/>
 			<variable name="samlOrganizationName" type='string' description="Nom de l'organisation SAML" mode='expert'/>
+            <variable name="lemonproc" type='number' description="Nombre de processus dédié à Lemon (équivalent au nombre de processeur)" mandatory="True">
+                <value>4</value>
+            </variable>
+
 			<variable name="lemonAdmin" type='string' description="LemonLDAP Administrator username" mode='expert'>
 				<value>admin</value>
 			</variable>
@@ -67,6 +72,7 @@
 			</variable>
 			<variable name='llRegisterDB' type='string' description="Base de comptes pour l'enregistrement"/>
 			<variable name='llRegisterURL' type='string' description="Adresse de l'application de création de compte"/>
+			<variable name='llCSPTargets' type='domain' description="Domaines vers lesquels le forumaire peut renvoyer" multi='True'/>
 		</family>
         <separators>
 		    <separator name="managerWebName">Configuration DNS</separator>
@@ -132,5 +138,6 @@
 		<variable name='ldapUserBaseDN'>DN de l'utilisateur de connection en lecture à l'annuaire (ex: cn=reader,o=gouv,c=fr)</variable>
 		<variable name='nginxBucketSize'>server_names_hash_bucket_size Taille du hash des noms de serveur pour NGINX</variable>
 		<variable name='llCheckLogins'>Affiche une case à cocher sur la mire SSO qui permet a l'utilisateur de voir l'historique de connection de son compte avant d'être redirigé vers le service demandé</variable>
+		<variable name='llCSPTargets'>Liste des domaines à ajouter à la directive form-action.</variable>
 	</help>
 </creole>

tmpl/handler-nginx.conf

@@ -39,7 +39,7 @@ server {
 
   error_page   403 404 502 503 504  /nginx.html;
   location = /nginx.html{
-       root /usr/share/nginx/www;
+       root /usr/share/nginx/html;
     }
 
   location = /reload {

tmpl/lemonldap-ng-fastcgi-server

@@ -0,0 +1,15 @@
+# Number of process (default: 7)
+NPROC = %%lemonproc
+
+# Unix socket to listen to
+SOCKET=/run/llng-fastcgi-server/llng-fastcgi.sock
+
+# Pid file
+PID=/run/llng-fastcgi-server/llng-fastcgi-server.pid
+
+# User and GROUP
+USER=www-data
+GROUP=www-data
+
+# Custom functions file
+#CUSTOM_FUNCTIONS_FILE=/var/lib/lemonldap-ng/myfile.pm

tmpl/manager-nginx.conf

@@ -20,7 +20,7 @@ server {
 
   error_page   403 404 502 503 504  /nginx.html;
   location = /nginx.html{
-    root /usr/share/nginx/www;
+    root /usr/share/nginx/html;
   } 
 
   root /usr/share/lemonldap-ng/manager/htdocs/;

tmpl/portal-nginx.conf

@@ -4,6 +4,9 @@
 #  default           "";
 #  ~/CN=(?<CN>[^/]+) $CN;
 #}
+%set %%webDomain = %%authWebName.split('.',1)[1]
+%set %%CSPTargets = %%custom_join(['http://*.{0} https://*.{0}'.format(d) for d in set([%%webDomain] + %%getVar('llCSPTargets'))], ' ')
+
 
 server {
   listen 80;
@@ -22,6 +25,7 @@ server {
   ssl_certificate_key %%server_key;
 %end if
   ssl_client_certificate /etc/ssl/certs/ca..crt;
+  ssl_session_cache shared:SSL:10m;
   access_log /var/log/nginx/auth-lemon-ldap.access-ssl.log;
   server_name %%authWebName;
   root /usr/share/lemonldap-ng/portal/htdocs/;
@@ -40,6 +44,8 @@ server {
     fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
     fastcgi_split_path_info ^(.*\.psgi)(/.*)$;
     fastcgi_param PATH_INFO  $fastcgi_path_info;
+    fastcgi_hide_header Content-Security-Policy;
+    add_header Content-Security-Policy "default-src 'self'; form-action 'self' %%CSPTargets; object-src 'none'";
 
   }
 

tmpl/test-nginx.conf

@@ -50,6 +50,7 @@ server {
     ##################################
     auth_request /lmauth;
     auth_request_set $lmremote_user $upstream_http_lm_remote_user;
+    auth_request_set $lmremote_custom $upstream_http_lm_remote_custom;
     auth_request_set $lmlocation $upstream_http_location;
     # If CDA is used, uncomment this
     #auth_request_set $cookie_value $upstream_http_set_cookie;