Add sfRequired option (#1487)

7 years ago · 4ef9fa374a
parent 6799ca9281
commit 4ef9fa374a
13 changed files with 52 additions and 6 deletions
--- a/fastcgi-server/man/llng-fastcgi-server.1p
+++ b/fastcgi-server/man/llng-fastcgi-server.1p
@ -129,7 +129,7 @@
 .\" ========================================================================
 .\"
 .IX Title "llng-fastcgi-server 1"
-.TH llng-fastcgi-server 1 "2018-07-02" "perl v5.26.2" "User Contributed Perl Documentation"
+.TH llng-fastcgi-server 1 "2018-08-03" "perl v5.26.2" "User Contributed Perl Documentation"
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
--- a/lemonldap-ng-manager/lib/Lemonldap/NG/Manager/Attributes.pm
+++ b/lemonldap-ng-manager/lib/Lemonldap/NG/Manager/Attributes.pm
@ -3056,6 +3056,9 @@ qr/(?:(?:https?):\/\/(?:(?:(?:(?:(?:(?:[a-zA-Z0-9][-a-zA-Z0-9]*)?[a-zA-Z0-9])[.]
            'default' => '::2F::Engines::Default',
            'type'    => 'text'
        },
+        'sfRequired' => {
+            'type' => 'bool'
+        },
        'singleIP' => {
            'default' => 0,
            'type'    => 'bool'
--- a/lemonldap-ng-manager/lib/Lemonldap/NG/Manager/Build/Attributes.pm
+++ b/lemonldap-ng-manager/lib/Lemonldap/NG/Manager/Build/Attributes.pm
@ -2281,6 +2281,10 @@ sub attributes {
            default       => '::2F::Engines::Default',
            documentation => 'Second factor engine',
        },
+        sfRequired => {
+            type          => 'bool',
+            documentation => 'Second factor required',
+        },
        available2F => {
            type          => 'text',
            default       => 'UTOTP,TOTP,U2F,REST,Ext2F,Yubikey',
--- a/lemonldap-ng-manager/lib/Lemonldap/NG/Manager/Build/Tree.pm
+++ b/lemonldap-ng-manager/lib/Lemonldap/NG/Manager/Build/Tree.pm
@ -632,7 +632,7 @@ sub tree {
                        {
                            title => 'stateCheck',
                            help  => 'checkstate.html',
-                            form  => 'simpleInputContainer',                            
+                            form  => 'simpleInputContainer',
                            nodes => [ 'checkState', 'checkStateSecret', ],
                        },
                    ]
@ -709,6 +709,7 @@ sub tree {
                                'yubikey2fUserCanRemoveKey',
                            ],
                        },
+                        'sfRequired',
                    ]
                },
                {
--- a/lemonldap-ng-manager/site/htdocs/static/languages/ar.json
+++ b/lemonldap-ng-manager/site/htdocs/static/languages/ar.json
@ -680,6 +680,7 @@
 "sessionStorage":"تخزين الجلسات",
 "sessionTitle":"محتوى الجلسة",
 "sfaTitle":"Second Factors Authentication",
+"sfRequired":"Require 2FA",
 "show":"عرض",
 "showHelp":"عرض المساعدة",
 "singleIP":"عنوان آي بي واحد لكل مستخدم",
--- a/lemonldap-ng-manager/site/htdocs/static/languages/en.json
+++ b/lemonldap-ng-manager/site/htdocs/static/languages/en.json
@ -680,6 +680,7 @@
 "sessionStorage":"Sessions Storage",
 "sessionTitle":"Session content",
 "sfaTitle":"Second Factors Authentication",
+"sfRequired":"Require 2FA",
 "show":"Show",
 "showHelp":"Show help",
 "singleIP":"One IP only by user",
--- a/lemonldap-ng-manager/site/htdocs/static/languages/fr.json
+++ b/lemonldap-ng-manager/site/htdocs/static/languages/fr.json
@ -372,6 +372,7 @@
 "logo":"Logo",
 "logout":"Déconnexion",
 "logoutServices":"Transfert de la déconnexion",
+"sfRequired":"Exiger 2FA",
 "logParams":"Journalisation",
 "lwpOpts":"Options pour les requêtes serveur",
 "lwpSslOpts":"Options SSL pour les requêtes serveur",
--- a/lemonldap-ng-manager/site/htdocs/static/languages/it.json
+++ b/lemonldap-ng-manager/site/htdocs/static/languages/it.json
@ -97,6 +97,7 @@
 "browserIdAuthnLevel":"Livello di autenticazione",
 "browserIdAutoLogin":"Login automatico",
 "browserIdBackgroundColor":"Colore di sfondo",
+"sfRequired":"Require 2FA",
 "browseridParams":"BrowserIDParams",
 "browserIdSiteLogo":"Logo del sito",
 "browserIdSiteName":"Nome del sito",
--- a/lemonldap-ng-manager/site/htdocs/static/languages/vi.json
+++ b/lemonldap-ng-manager/site/htdocs/static/languages/vi.json
@ -680,6 +680,7 @@
 "sessionStorage":"Sessions lưu trữ",
 "sessionTitle":"Nội dung phiên",
 "sfaTitle":"Second Factors Authentication",
+"sfRequired":"Require 2FA",
 "show":"Hiển thị",
 "showHelp":"Hiển thị trợ giúp",
 "singleIP":"Chỉ một địa chỉ IP bởi người dùng",
--- a/lemonldap-ng-manager/site/htdocs/static/reverseTree.json
+++ b/lemonldap-ng-manager/site/htdocs/static/reverseTree.json
--- a/lemonldap-ng-manager/site/htdocs/static/struct.json
+++ b/lemonldap-ng-manager/site/htdocs/static/struct.json
--- a/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/2F/Engines/Default.pm
+++ b/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/2F/Engines/Default.pm
@ -99,6 +99,12 @@ sub init {
        # Registration base
        $self->addAuthRoute( '2fregisters' => '_displayRegister', ['GET'] );
        $self->addAuthRoute( '2fregisters' => 'register',         ['POST'] );
+        if ( $self->conf->{sfRequired} ) {
+            $self->addUnauthRoute(
+                '2fregisters' => 'restoreSession',
+                [ 'GET', 'POST' ]
+            );
+        }
    }

    return 1;
@ -131,7 +137,24 @@ sub run {

    # If no 2F module is authorized, skipping 2F
    # Note that a rule may forbid access after (GrantSession plugin)
-    return PE_OK unless (@am);
+    unless (@am) {
+
+        # Except if 2FA is required, move to registration
+        if ( $self->conf->{sfRequired} ) {
+            $req->pdata->{sfRegToken} =
+              $self->ott->createToken( $req->sessionInfo );
+            $req->response(
+                [
+                    302, [ Location => $self->conf->{portal} . '/2fregisters' ],
+                    []
+                ]
+            );
+            return PE_SENDRESPONSE;
+        }
+        else {
+            return PE_OK;
+        }
+    }

    $self->userLogger->info( 'Second factor required for '
          . $req->sessionInfo->{ $self->conf->{whatToTrace} } );
@ -319,4 +342,14 @@ sub register {
    return $self->p->sendJSONresponse( $req, \@am );
 }

+sub restoreSession {
+    my ( $self, $req, @path ) = @_;
+    my $token = $req->pdata->{sfRegToken}
+      or return [ 302, [ Location => $self->conf->{portal} ], [] ];
+    $req->userData( $self->ott->getToken( $token, 1 ) );
+    return $req->method eq 'POST'
+      ? $self->register( $req, @path )
+      : $self->_displayRegister( $req, @path );
+}
+
 1;
--- a/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Lib/OneTimeToken.pm
+++ b/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Lib/OneTimeToken.pm
@ -110,7 +110,7 @@ sub getToken {
            return undef;
        }
        my %h = %{ $tsession->{data} };
-        $tsession->remove;
+        $tsession->remove unless($keep);
        return \%h;
    }
 }