Merge pull request #1510 from kheimon/feat-cas-reverse-proxy

Add options to enable CAS Server Validation and set CAS Fixed Service URL to CAS Configuration
OCSInventory-NG · Sep 4, 2023 · 5b9c469 · 5b9c469
2 parents 56dde77 + 82f4d6e
commit 5b9c469
Show file tree

Hide file tree

Showing 8 changed files with 37 additions and 3 deletions.
diff --git a/backend/AUTH/methode/cas.php b/backend/AUTH/methode/cas.php
@@ -44,8 +44,22 @@ function get_cas_config() {
 
 if (!isset($sql_update)) {
     $cas->client(CAS_VERSION_2_0, $config['CAS_HOST'], (int)$config['CAS_PORT'], $config['CAS_URI']);
-    // uncomment following line if not using server validation
-    $cas->setNoCasServerValidation();
+    // Set Service URL
+    // required if operating behind a load balancer or reverse proxy.
+    if (!isset($config['CAS_BASEURL'])) {
+        $cas->setFixedServiceURL($config['CAS_BASEURL']);
+    }
+
+    // Set CAS Server CA Cert
+    // Strongly recommended for production environments
+    if (!isset($config['CAS_SERVER_CA_CERT_PATH'])) {
+        $cas->setCasServerCACert($config['CAS_SERVER_CA_CERT_PATH']);
+    } else {
+        // if CAS Server CA Cert Path not set, fall back to no validation.
+        $cas->setNoCasServerValidation();
+    }
+
+    // force CAS authentication on any page that includes this file.
     $cas->forceAuthentication();
     $login = $cas->getUser();
     $mdp = "";

diff --git a/files/update/7075.sql b/files/update/7075.sql
@@ -0,0 +1,5 @@
+-- Add CAS variables to config table
+
+INSERT IGNORE INTO `config` (NAME, IVALUE, TVALUE, COMMENTS)
+VALUES  ('CAS_BASEURL',0,'','Server URL as seen by CAS IdP, e.g. : https://ocs.example.com/ocsreports'),
+        ('CAS_SERVER_CA_CERT_PATH',0,'','Path to IdP Server CA Certificate for server validation function, e.g. : files/certificates/CA.pem');
diff --git a/plugins/language/de_DE/de_DE.txt b/plugins/language/de_DE/de_DE.txt
@@ -1648,6 +1648,8 @@
 9700 CAS Server Port, z.B. : 443
 9701 CAS Server URI, z.B. : /cas
 9702 CAS Server Host, z.B. : authentication.org
+9705 CAS Basis URI, z.B. : ocs.example.com
+9706 CAS Server CA-Zertifikatspfad, z.B. : /path/to/cachain.pem
 
 9704 CAS Konfiguration
 

diff --git a/plugins/language/en_GB/en_GB.txt b/plugins/language/en_GB/en_GB.txt
@@ -1847,6 +1847,8 @@
 9701 CAS server uri, e.g : /cas
 9702 CAS server host, e.g. : authentication.org
 9703 CAS default role, applied on first connection initiated using CAS authentication
+9705 CAS Base URI, e.g. : ocs.example.com
+9706 CAS Server CA Certificate Path, e.g. : /path/to/cachain.pem
 9704 CAS Configuration
 
 9800 Exclude archived computers from statistics, CVE inventory, all softwares count, computers per TAG count

diff --git a/plugins/language/fr_FR/fr_FR.txt b/plugins/language/fr_FR/fr_FR.txt
@@ -1842,6 +1842,8 @@
 9701 URI du serveur CAS, e.g : /cas
 9702 Adresse du serveur CAS, e.g. : authentication.org
 9703 Profil par défaut, appliqué à la première connexion CAS
+9705 URI de base du CAS, e.g. : ocs.example.com
+9706 Chemin du certificat du serveur CAS, e.g. : /path/to/cachain.pem
 9704 Configuration CAS
 
 9800 Exlure les machines archivées des Statistiques, de l'inventaire CVE, du compte de Tous les logiciels, du compte des machines par TAG

diff --git a/plugins/language/ja_JP/ja_JP.txt b/plugins/language/ja_JP/ja_JP.txt
@@ -1836,6 +1836,8 @@
 9701 CAS server uri, e.g : /cas
 9702 CAS server host, e.g. : authentication.org
 9703 CAS default role, applied on first connection initiated using CAS authentication
+9705 CAS Base URI, e.g. : ocs.example.com
+9706 CAS Server CA Certificate Path, e.g. : /path/to/cachain.pem
 9704 CAS Configuration
 
 9800 Exclude archived computers from statistics, CVE inventory, all softwares count, computers per TAG count

diff --git a/require/function_config_generale.php b/require/function_config_generale.php
@@ -392,6 +392,8 @@ function update_default_value($POST) {
         'CAS_URI' => 'CAS_URI',
         'CAS_HOST' => 'CAS_HOST',
         'CAS_DEFAULT_ROLE' => 'CAS_DEFAULT_ROLE',
+        'CAS_BASEURL' => 'CAS_BASEURL',
+        'CAS_SERVER_CA_CERT_PATH' => 'CAS_SERVER_CA_CERT_PATH',
         'VULN_CVESEARCH_HOST', 'VULN_BAN_LIST',
         'IT_SET_NAME_TEST', 'IT_SET_NAME_LIMIT', 'IT_SET_TAG_NAME',
         'IT_SET_NIV_CREAT', 'IT_SET_NIV_TEST', 'IT_SET_NIV_REST', 'IT_SET_NIV_TOTAL', 'EXPORT_SEP', 'WOL_PORT',
@@ -1048,6 +1050,8 @@ function pageCas() {
         'CAS_URI' => 'CAS_URI',
         'CAS_HOST' => 'CAS_HOST',
         'CAS_DEFAULT_ROLE' => 'CAS_DEFAULT_ROLE',
+        'CAS_BASEURL' => 'CAS_BASEURL',
+        'CAS_SERVER_CA_CERT_PATH' => 'CAS_SERVER_CA_CERT_PATH'
     );
     $values = look_config_default_values($champs);
     $role1 = get_profile_labels();
@@ -1058,6 +1062,8 @@ function pageCas() {
     ligne('CAS_URI', $l->g(9701) . '<br>' . '', 'input', array('VALUE' => $values['tvalue']['CAS_URI'] ?? '', 'SIZE' => "30%", 'MAXLENGTH' => 200));
     ligne('CAS_HOST', $l->g(9702) . '<br>' . '', 'input', array('VALUE' => $values['tvalue']['CAS_HOST'] ?? '', 'SIZE' => "30%", 'MAXLENGTH' => 200));
     ligne('CAS_DEFAULT_ROLE', $l->g(9703), 'select', array('VALUE' => $values['tvalue']['CAS_DEFAULT_ROLE'] ?? '', 'SELECT_VALUE' => $default_role));
+    ligne('CAS_BASEURL', $l->g(9705) . '<br>' . '', 'input', array('VALUE' => $values['tvalue']['CAS_BASEURL'] ?? '', 'SIZE' => "30%", 'MAXLENGTH' => 200));
+    ligne('CAS_SERVER_CA_CERT_PATH', $l->g(9706) . '<br>' . '', 'input', array('VALUE' => $values['tvalue']['CAS_SERVER_CA_CERT_PATH'] ?? '', 'SIZE' => "30%", 'MAXLENGTH' => 200));
 }
 
 

diff --git a/var.php b/var.php
@@ -73,7 +73,8 @@
 /**
  * OCS' MySQL database version
  */
-define('GUI_VER', '7074');
+
+define('GUI_VER', '7075');
 
 /**
  * GUI Version