worteks
/
lemonldap-ng
mirror of https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng
3
0
Fork 0
Code Issues Projects Releases Wiki Activity

Captcha and token in progress (#1140)

Browse Source
environments/ppa-mbqj77/deployments/1
Xavier Guimard 8 years ago
parent 81b47b7988
commit 234551387f
14 changed files with 140 additions and 104 deletions
Show all changes Ignore whitespace when comparing lines Ignore changes in amount of whitespace Ignore changes in whitespace at EOL
Show Stats Download Patch File Download Diff File
  1. 4
      lemonldap-ng-common/lib/Lemonldap/NG/Common/Conf/Constants.pm
  2. 36
      lemonldap-ng-common/lib/Lemonldap/NG/Common/Conf/DefaultValues.pm
  3. 2
      lemonldap-ng-common/lib/Lemonldap/NG/Common/Conf/ReConstants.pm
  4. 18
      lemonldap-ng-manager/lib/Lemonldap/NG/Manager/Attributes.pm
  5. 23
      lemonldap-ng-manager/lib/Lemonldap/NG/Manager/Build/Attributes.pm
  6. 6
      lemonldap-ng-manager/lib/Lemonldap/NG/Manager/Build/Tree.pm
  7. 4
      lemonldap-ng-manager/site/static/languages/en.json
  8. 4
      lemonldap-ng-manager/site/static/languages/fr.json
  9. 2
      lemonldap-ng-manager/site/static/reverseTree.json
  10. 2
      lemonldap-ng-manager/site/static/struct.json
  11. 130
      lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Auth/_WebForm.pm
  12. 4
      lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Main/Constants.pm
  13. 8
      lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Main/Request.pm
  14. 1
      lemonldap-ng-portal/t/lmConf-1.js

4
lemonldap-ng-common/lib/Lemonldap/NG/Common/Conf/Constants.pm
Unescape View File

@ -23,9 +23,9 @@ use constant HANDLERSECTION => "handler";
use constant MANAGERSECTION => "manager";
use constant SESSIONSEXPLORERSECTION => "sessionsExplorer";
use constant APPLYSECTION => "apply";
our $hashParameters = qr/^(?:(?:l(?:o(?:ca(?:lSessionStorageOption|tionRule)|goutService)|dapExportedVar|wpSslOpt)|(?:(?:d(?:emo|bi)|facebook|webID)ExportedVa|exported(?:Heade|Va))r|ca(?:s(?:StorageOption|Attribute)|ptchaStorageOption)|g(?:r(?:antSessionRule|oup)|lobalStorageOption)|n(?:otificationStorageOption|ginxCustomHandler)|re(?:moteGlobalStorageOption|loadUrl)|CAS_proxiedService|macro)s|o(?:idc(?:RPMetaData(?:(?:Option(?:sExtraClaim)?|ExportedVar)s|Node)|OPMetaData(?:(?:ExportedVar|Option)s|J(?:SON|WKS)|Node)|S(?:erviceMetaDataAuthnContext|torageOptions))|penIdExportedVars)|s(?:aml(?:S(?:PMetaData(?:(?:ExportedAttribute|Option)s|Node|XML)|torageOptions)|IDPMetaData(?:(?:ExportedAttribute|Option)s|Node|XML))|essionDataToRemember|laveExportedVars)|p(?:ersistentStorageOptions|o(?:rtalSkinRules|st))|a(?:uthChoiceModules|pplicationList)|v(?:hostOptions|irtualHost))$/;
our $hashParameters = qr/^(?:(?:l(?:o(?:ca(?:lSessionStorageOption|tionRule)|goutService)|dapExportedVar|wpSslOpt)|(?:(?:d(?:emo|bi)|facebook|webID)ExportedVa|exported(?:Heade|Va))r|g(?:r(?:antSessionRule|oup)|lobalStorageOption)|n(?:otificationStorageOption|ginxCustomHandler)|re(?:moteGlobalStorageOption|loadUrl)|cas(?:StorageOption|Attribute)|CAS_proxiedService|macro)s|o(?:idc(?:RPMetaData(?:(?:Option(?:sExtraClaim)?|ExportedVar)s|Node)|OPMetaData(?:(?:ExportedVar|Option)s|J(?:SON|WKS)|Node)|S(?:erviceMetaDataAuthnContext|torageOptions))|penIdExportedVars)|s(?:aml(?:S(?:PMetaData(?:(?:ExportedAttribute|Option)s|Node|XML)|torageOptions)|IDPMetaData(?:(?:ExportedAttribute|Option)s|Node|XML))|essionDataToRemember|laveExportedVars)|p(?:ersistentStorageOptions|o(?:rtalSkinRules|st))|a(?:uthChoiceModules|pplicationList)|v(?:hostOptions|irtualHost))$/;
our @sessionTypes = ( 'captcha', 'remoteGlobal', 'cas', 'global', 'localSession', 'persistent', 'saml', 'oidc' );
our @sessionTypes = ( 'remoteGlobal', 'cas', 'global', 'localSession', 'persistent', 'saml', 'oidc' );
sub NO {qr/^(?:off|no|0)?$/i}

36
lemonldap-ng-common/lib/Lemonldap/NG/Common/Conf/DefaultValues.pm
Unescape View File

@ -20,25 +20,21 @@ sub defaultValues {
'browserIdAuthnLevel' => 1,
'captcha_register_enabled' => 1,
'captcha_size' => 6,
'captchaStorage' => 'Apache::Session::File',
'captchaStorageOptions' => {
'Directory' => '/var/lib/lemonldap-ng/captcha/'
},
'CAS_authnLevel' => 1,
'CAS_pgtFile' => '/tmp/pgt.txt',
'casAccessControlPolicy' => 'none',
'checkXSS' => 1,
'confirmFormMethod' => 'post',
'cookieName' => 'lemonldap',
'cspConnect' => '\'self\'',
'cspDefault' => '\'self\'',
'cspFont' => '\'self\'',
'cspImg' => '\'self\'',
'cspScript' => '\'self\'',
'cspStyle' => '\'self\'',
'dbiAuthnLevel' => 2,
'dbiExportedVars' => {},
'demoExportedVars' => {
'CAS_authnLevel' => 1,
'CAS_pgtFile' => '/tmp/pgt.txt',
'casAccessControlPolicy' => 'none',
'checkXSS' => 1,
'confirmFormMethod' => 'post',
'cookieName' => 'lemonldap',
'cspConnect' => '\'self\'',
'cspDefault' => '\'self\'',
'cspFont' => '\'self\'',
'cspImg' => '\'self\'',
'cspScript' => '\'self\'',
'cspStyle' => '\'self\'',
'dbiAuthnLevel' => 2,
'dbiExportedVars' => {},
'demoExportedVars' => {
'cn' => 'cn',
'mail' => 'mail',
'uid' => 'uid'
@ -50,6 +46,7 @@ sub defaultValues {
'facebookAuthnLevel' => 1,
'facebookExportedVars' => {},
'failedLoginNumber' => 5,
'formTimeout' => 120,
'globalStorage' => 'Apache::Session::File',
'globalStorageOptions' => {
'Directory' => '/var/lib/lemonldap-ng/sessions/',
@ -182,6 +179,7 @@ sub defaultValues {
'http://auth.example.com/Lemonldap/NG/Common/CGI/SOAPService',
'proxy' => 'http://auth.example.com/index.pl/sessions'
},
'requireToken' => 1,
'samlAttributeAuthorityDescriptorAttributeServiceSOAP' =>
'urn:oasis:names:tc:SAML:2.0:bindings:SOAP;#PORTAL#/saml/AA/SOAP;',
'samlAuthnContextMapKerberos' => 4,

2
lemonldap-ng-common/lib/Lemonldap/NG/Common/Conf/ReConstants.pm
Unescape View File

@ -20,7 +20,7 @@ our $specialNodeHash = {
};
our $doubleHashKeys = 'issuerDBGetParameters';
our $simpleHashKeys = '(?:(?:l(?:o(?:calSessionStorageOption|goutService)|dapExportedVar|wpSslOpt)|ca(?:s(?:StorageOption|Attribute)|ptchaStorageOption)|(?:(?:d(?:emo|bi)|facebook|webID)E|e)xportedVar|g(?:r(?:antSessionRule|oup)|lobalStorageOption)|n(?:otificationStorageOption|ginxCustomHandler)|p(?:ersistentStorageOption|ortalSkinRule)|re(?:moteGlobalStorageOption|loadUrl)|CAS_proxiedService|macro)s|o(?:idcS(?:erviceMetaDataAuthnContext|torageOptions)|penIdExportedVars)|s(?:(?:amlStorageOption|laveExportedVar)s|essionDataToRemember)|a(?:uthChoiceModules|pplicationList))';
our $simpleHashKeys = '(?:(?:l(?:o(?:calSessionStorageOption|goutService)|dapExportedVar|wpSslOpt)|(?:(?:d(?:emo|bi)|facebook|webID)E|e)xportedVar|g(?:r(?:antSessionRule|oup)|lobalStorageOption)|n(?:otificationStorageOption|ginxCustomHandler)|p(?:ersistentStorageOption|ortalSkinRule)|re(?:moteGlobalStorageOption|loadUrl)|cas(?:StorageOption|Attribute)|CAS_proxiedService|macro)s|o(?:idcS(?:erviceMetaDataAuthnContext|torageOptions)|penIdExportedVars)|s(?:(?:amlStorageOption|laveExportedVar)s|essionDataToRemember)|a(?:uthChoiceModules|pplicationList))';
our $specialNodeKeys = '(?:(?:saml(?:ID|S)|oidc[OR])PMetaDataNode|virtualHost)s';
our $oidcOPMetaDataNodeKeys = 'oidcOPMetaData(?:Options(?:C(?:lient(?:Secret|ID)|heckJWTSignature|onfigurationURI)|TokenEndpointAuthMethod|(?:JWKSTimeou|Promp)t|I(?:DTokenMaxAge|con)|S(?:toreIDToken|cope)|U(?:iLocales|seNonce)|Display(?:Name)?|AcrValues|MaxAge)|ExportedVars|J(?:SON|WKS))';
our $oidcRPMetaDataNodeKeys = 'oidcRPMetaData(?:Options(?:I(?:DToken(?:Expiration|SignAlg)|con)|(?:RedirectUri|ExtraClaim)s|AccessTokenExpiration|Client(?:Secret|ID)|BypassConsent|DisplayName|UserIDAttr)|ExportedVars)';

18
lemonldap-ng-manager/lib/Lemonldap/NG/Manager/Attributes.pm
Unescape View File

@ -599,16 +599,6 @@ sub attributes {
'default' => 6,
'type' => 'int'
},
'captchaStorage' => {
'default' => 'Apache::Session::File',
'type' => 'PerlModule'
},
'captchaStorageOptions' => {
'default' => {
'Directory' => '/var/lib/lemonldap-ng/captcha/'
},
'type' => 'keyTextContainer'
},
'CAS_authnLevel' => {
'default' => 1,
'type' => 'int'
@ -883,6 +873,10 @@ qr/^(?:(?:(?:(?:[a-zA-Z0-9][-a-zA-Z0-9]*)?[a-zA-Z0-9])[.])*(?:[a-zA-Z][-a-zA-Z0-
'default' => 5,
'type' => 'int'
},
'formTimeout' => {
'default' => 120,
'type' => 'int'
},
'globalStorage' => {
'default' => 'Apache::Session::File',
'type' => 'PerlModule'
@ -2097,6 +2091,10 @@ qr/(?:(?:https?):\/\/(?:(?:(?:(?:(?:(?:[a-zA-Z0-9][-a-zA-Z0-9]*)?[a-zA-Z0-9])[.]
'remotePortal' => {
'type' => 'text'
},
'requireToken' => {
'default' => 1,
'type' => 'bool'
},
'restConfigServer' => {
'default' => 0,
'type' => 'bool'

23
lemonldap-ng-manager/lib/Lemonldap/NG/Manager/Build/Attributes.pm
Unescape View File

@ -425,6 +425,16 @@ sub attributes {
},
# Security
formTimeout => {
default => 120,
type => 'int',
documentation => 'Token timeout for forms',
},
requireToken => {
default => 1,
type => 'bool',
documentation => 'Enable token for forms',
},
cda => {
default => 0,
type => 'bool',
@ -694,19 +704,6 @@ sub attributes {
documentation => 'Captcha size',
},
#captcha_data
#captcha_output
captchaStorage => {
type => 'PerlModule',
default => 'Apache::Session::File',
documentation => 'Captcha backend module',
},
captchaStorageOptions => {
type => 'keyTextContainer',
default => { 'Directory' => '/var/lib/lemonldap-ng/captcha/', },
documentation => 'Captcha backend module options',
},
# Variables
exportedVars => {
type => 'keyTextContainer',

6
lemonldap-ng-manager/lib/Lemonldap/NG/Manager/Build/Tree.pm
Unescape View File

@ -91,8 +91,6 @@ sub tree {
'captcha_mail_enabled',
'captcha_register_enabled',
'captcha_size',
'captchaStorage',
'captchaStorageOptions'
]
}
]
@ -615,7 +613,9 @@ sub tree {
'cspScript', 'cspStyle',
'cspConnect', 'cspFont',
]
}
},
'requireToken',
'formTimeout',
]
},
{

4
lemonldap-ng-manager/site/static/languages/en.json
Unescape View File

@ -93,8 +93,6 @@
"captcha_mail_enabled": "Activation in password reset by mail form",
"captcha_register_enabled": "Activation in register form",
"captcha_size": "Size",
"captchaStorage": "Captcha module name",
"captchaStorageOptions": "Captcha module options",
"CAS_authnLevel": "Authentication level",
"CAS_CAFile": "CA file",
"CAS_gateway": "Gateway authentication",
@ -202,6 +200,7 @@
"forceSave": "Force save",
"format": "Format",
"formReplay": "Form replay",
"formTimeout": "Form timeout",
"forms": "Forms",
"friendlyName": "Friendly name",
"generalParameters": "General Parameters",
@ -556,6 +555,7 @@
"remoteParams": "Remote parameters",
"remotePortal": "Portal URL",
"replaceByFile": "Replace by file",
"requireToken": "Require token for forms",
"restConfigServer": "REST configuration server",
"restSessionServer": "REST session server",
"restore": "Restore",

4
lemonldap-ng-manager/site/static/languages/fr.json
Unescape View File

@ -93,8 +93,6 @@
"captcha_mail_enabled": "Activation dans le formulaire de réinitialisation par mail",
"captcha_register_enabled": "Activation dans le formulaire de création de compte",
"captcha_size": "Taille",
"captchaStorage": "Nom du module de stockage",
"captchaStorageOptions": "Options du module de stockage",
"CAS_authnLevel": "Niveau d'authentification",
"CAS_CAFile": "Fichier d'AC",
"CAS_gateway": "Authentification transparente",
@ -202,6 +200,7 @@
"forceSave": "Forcer la sauvegarde",
"format": "Format",
"formReplay": "Rejeu de formulaires",
"formTimeout": "Délai de validation pour les formulaires",
"forms": "Formulaires",
"friendlyName": "Nom alternatif",
"generalParameters": "Paramètres généraux",
@ -556,6 +555,7 @@
"remoteParams": "Paramètres Remote",
"remotePortal": "URL du portail",
"replaceByFile": "Remplacer par le fichier",
"requireToken": "Exige un jeton pour les formulaires",
"restConfigServer": "Serveur de configurations REST",
"restSessionServer": "Serveur de sessions REST",
"restore": "Restaurer",

2
lemonldap-ng-manager/site/static/reverseTree.json
View File

File diff suppressed because one or more lines are too long

2
lemonldap-ng-manager/site/static/struct.json
View File

File diff suppressed because one or more lines are too long

130
lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Auth/_WebForm.pm
Unescape View File

@ -7,8 +7,16 @@ package Lemonldap::NG::Portal::Auth::_WebForm;
use strict;
use Mouse;
use Lemonldap::NG::Portal::Main::Constants
qw(PE_OK PE_FIRSTACCESS PE_FORMEMPTY PE_PASSWORDFORMEMPTY PE_CAPTCHAEMPTY PE_CAPTCHAERROR);
use Lemonldap::NG::Portal::Main::Constants qw(
PE_CAPTCHAEMPTY
PE_CAPTCHAERROR
PE_FIRSTACCESS
PE_FORMEMPTY
PE_NOTOKEN
PE_OK
PE_PASSWORDFORMEMPTY
PE_TOKENEXPIRED
);
our $VERSION = '2.0.0';
@ -22,10 +30,24 @@ has authnLevel => (
},
);
has captcha => ( is => 'rw' );
has ott => ( is => 'rw' );
# INITIALIZATION
sub init {
1;
if ( $_[0]->{conf}->{captcha_login_enabled} ) {
$_[0]->captcha(
$_[0]->p->loadModule('Lemonldap::NG::Portal::Lib::Captcha') )
or return 0;
}
elsif ( $_[0]->{conf}->{requireToken} ) {
$_[0]->ott(
$_[0]->p->loadModule('Lemonldap::NG::Portal::Lib::OneTimeToken') )
or return 0;
$_[0]->ott->timeout( $_[0]->conf->{formTimeout} );
}
return 1;
}
# RUNNING METHODS
@ -34,30 +56,27 @@ sub init {
sub extractFormInfo {
my ( $self, $req ) = @_;
# Init captcha
if ( $self->conf->{captcha_login_enabled} ) {
eval { $self->initCaptcha(); };
$self->lmLog( "Can't init captcha: $@", "error" ) if $@;
}
# Detect first access and empty forms
my $defUser = defined $req->param('user');
my $defPassword = defined $req->param('password');
my $defOldPassword = defined $req->param('oldpassword');
my $res = PE_OK;
# 1. No user defined at all -> first access
return PE_FIRSTACCESS unless $defUser;
unless ($defUser) {
$res = PE_FIRSTACCESS;
}
# 2. If user and password defined -> login form
if ( $defUser && $defPassword ) {
return PE_FORMEMPTY
elsif ( $defUser && $defPassword ) {
$res = PE_FORMEMPTY
unless ( ( $req->{user} = $req->param('user') )
&& ( $req->datas->{password} = $req->param('password') ) );
}
# 3. If user and oldpassword defined -> password form
if ( $defUser && $defOldPassword ) {
return PE_PASSWORDFORMEMPTY
elsif ( $defUser && $defOldPassword ) {
$res = PE_PASSWORDFORMEMPTY
unless ( ( $req->{user} = $req->param('user') )
&& ( $req->datas->{oldpassword} = $req->param('oldpassword') )
&& ( $req->datas->{newpassword} = $req->param('newpassword') )
@ -65,49 +84,48 @@ sub extractFormInfo {
$req->param('confirmpassword') ) );
}
# 4. Captcha for login form
if ( $self->conf->{captcha_login_enabled} && $defUser && $defPassword ) {
$req->datas->{captcha_user_code} = $req->param('captcha_user_code');
$req->datas->{captcha_check_code} = $req->param('captcha_code');
# If form seems empty
if ( $res != PE_OK ) {
unless ( $req->datas->{captcha_user_code}
&& $req->datas->{captcha_check_code} )
{
$self->lmLog( "Captcha not filled", 'warn' );
return PE_CAPTCHAEMPTY;
# If captcha is enable, prepare it
if ( $self->captcha ) {
$self->setCaptcha($req);
}
$self->lmLog(
"Captcha data received: "
. $req->datas->{captcha_user_code} . " and "
. $req->datas->{captcha_check_code},
'debug'
);
# Check captcha
my $captcha_result = $self->checkCaptcha(
$req->datas->{captcha_user_code},
$req->datas->{captcha_check_code}
);
if ( $captcha_result != 1 ) {
if ( $captcha_result == -3
or $captcha_result == -2 )
{
$self->lmLog( "Captcha failed: wrong code", 'warn' );
return PE_CAPTCHAERROR;
# Else get token
elsif ( $self->ott ) {
$self->setToken($req);
}
return $res;
}
# Security: check for captcha or token
if ( $self->captcha or $self->ott ) {
my $token;
unless ( $token = $req->param('token') ) {
$self->p->userError('Authentication tried without token');
return PE_NOTOKEN;
}
if ( $self->captcha ) {
my $code = $req->param('captcha');
unless ($code) {
$self->setCaptcha($req);
return PE_CAPTCHAEMPTY;
}
elsif ( $captcha_result == 0 ) {
$self->lmLog( "Captcha failed: code not checked (file error)",
'warn' );
unless ( $self->captcha->validateCaptcha( $token, $code ) ) {
$self->setCaptcha($req);
$self->p->userNotice("Captcha failed: wrong or expired code");
return PE_CAPTCHAERROR;
}
elsif ( $captcha_result == -1 ) {
$self->lmLog( "Captcha failed: code has expired", 'warn' );
return PE_CAPTCHAERROR;
$self->lmLog( "Captcha code verified", 'debug' );
}
elsif ( $self->ott ) {
unless ( $self->ott->getToken($token) ) {
$self->setToken($req);
$self->p->userNotice('Token expired');
return PE_TOKENEXPIRED;
}
}
$self->lmLog( "Captcha code verified", 'debug' );
}
# Other parameters
@ -141,4 +159,18 @@ sub getDisplayType {
return "standardform";
}
sub setCaptcha {
my ( $self, $req ) = @_;
my ( $token, $image ) = $self->captcha->getCaptcha;
$self->lmLog( 'Prepare captcha', 'debug' );
$req->token($token);
$req->captcha($image);
}
sub setToken {
my ( $self, $req ) = @_;
$self->lmLog( 'Prepare token', 'debug' );
$req->token( $self->ott->createToken );
}
1;

4
lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Main/Constants.pm
Unescape View File

@ -83,6 +83,8 @@ use constant {
PE_REGISTERFIRSTACCESS => 78,
PE_REGISTERFORMEMPTY => 79,
PE_REGISTERALREADYEXISTS => 80,
PE_NOTOKEN => 81,
PE_TOKENEXPIRED => 82,
};
# EXPORTER PARAMETERS
@ -107,7 +109,7 @@ our @EXPORT_OK = qw( PE_SENDRESPONSE PE_INFO PE_REDIRECT PE_DONE PE_OK
PE_MAILNOTFOUND PE_PASSWORDFIRSTACCESS PE_MAILCONFIRMOK
PE_MUST_SUPPLY_OLD_PASSWORD PE_FORBIDDENIP PE_CAPTCHAERROR PE_CAPTCHAEMPTY
PE_REGISTERFIRSTACCESS PE_REGISTERFORMEMPTY PE_REGISTERALREADYEXISTS
HANDLER
PE_NOTOKEN PE_TOKENEXPIRED HANDLER
);
our %EXPORT_TAGS = ( 'all' => [ @EXPORT_OK, 'import' ], );

8
lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Main/Request.pm
Unescape View File

@ -56,6 +56,14 @@ has menuError => ( is => 'rw' );
# Frame flag (used by Run to not send Content-Security-Policy header)
has frame => ( is => 'rw' );
# Security
#
# Captcha
has captcha => ( is => 'rw' );
# Token
has token => ( is => 'rw' );
# Error type
sub error_type {
my $req = shift;

1
lemonldap-ng-portal/t/lmConf-1.js
Unescape View File

@ -73,6 +73,7 @@
"generateModule": "Lemonldap::NG::Common::Apache::Session::Generate::SHA256"
},
"reloadUrls": {},
"requireToken": 0,
"userDB": "Demo",
"whatToTrace": "_whatToTrace"
}

Write Preview
Loading…
Cancel
Save