Try to implement SAML reauth (#595)

lemonldap-ng-common/lib/Lemonldap/NG/Common/Conf/DefaultValues.pm

@@ -237,6 +237,7 @@ sub defaultValues {
         'trustedProxies'                          => '',
         'twitterAuthnLevel'                       => 1,
         'u2fActivation'                           => 0,
+        'upgradeSession'                          => 1,
         'userControl'                             => '^[\\w\\.\\-@]+$',
         'userDB'                                  => 'Same',
         'useRedirectOnError'                      => 1,

lemonldap-ng-handler/lib/Lemonldap/NG/Handler/Lib/Status.pm

@@ -100,6 +100,7 @@ sub portalTab {
         82 => 'PE_TOKENEXPIRED',
         83 => 'PE_U2FFAILED',
         84 => 'PE_UNAUTHORIZEDPARTNER',
+        85 => 'PE_RENEWSESSION',
     };
 }
 

lemonldap-ng-manager/lib/Lemonldap/NG/Manager/Attributes.pm

@@ -2985,7 +2985,7 @@ qr/^(?:(?:(?:(?:(?:(?:[a-zA-Z0-9][-a-zA-Z0-9]*)?[a-zA-Z0-9])[.])*(?:[a-zA-Z][-a-
             'type'    => 'bool'
         },
         'upgradeSession' => {
-            'default' => 0,
+            'default' => 1,
             'type'    => 'bool'
         },
         'userControl' => {

lemonldap-ng-manager/lib/Lemonldap/NG/Manager/Build/Attributes.pm

@@ -976,7 +976,7 @@ sub attributes {
         # Upgrade session
         upgradeSession => {
             type          => 'bool',
-            default       => 0,
+            default       => 1,
             documentation => 'Upgrade session activation',
         },
 

lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Issuer/SAML.pm

@@ -2,6 +2,7 @@ package Lemonldap::NG::Portal::Issuer::SAML;
 
 use strict;
 use Mouse;
+use MIME::Base64;
 use Lemonldap::NG::Portal::Main::Constants qw(
   PE_OK
   PE_SAML_ART_ERROR
@@ -451,8 +452,7 @@ sub run {
                     $info->{'_type'}    = "forceAuthn";
                     $info->{'_saml_id'} = $session_id;
                     $info->{'_utime'}   = $time;
-                    $self->logger->debug(
-                        "Create ForceAuthn session $forceAuthn_session");
+                    $self->logger->debug("Create ForceAuthn session");
                 }
 
                 # Store flag for further requests
@@ -462,29 +462,19 @@ sub run {
                   unless ($forceAuthn_session);
 
                 $self->logger->debug(
-"Set ForceAuthn flag for SP $spConfKey in ForceAuthn session $forceAuthn_session"
+"Set ForceAuthn flag for SP $spConfKey in ForceAuthn session"
                 );
 
                 # Replay authentication process
-                $req->{updateSession} = 1;
-                $req->steps(
-                    [
-                        @{ $self->p->beforeAuth },
-                        $self->p->authProcess,
-                        @{ $self->p->betweenAuthAndDatas },
-                        $self->p->sessionDatas,
-                        @{ $self->p->afterDatas }
-                    ]
-                );
-                $req->error( $self->p->process($req) );
-
-                # Return error if any
-                return $req->{error} if $req->{error} > 0;
+                return $self->reAuth($req);
+            }
 
-                # Else remove flag
+            # Else remove flag
+            elsif ($forceAuthn_session) {
                 $forceAuthnSessionInfo =
                   $self->getSamlSession( $forceAuthn_session,
                     { $spConfKey => 0 } );
+                $forceAuthnSessionInfo->update( { $spConfKey => 0 } );
 
                 $self->logger->debug(
 "Unset ForceAuthn flag for SP $spConfKey in ForceAuthn session $forceAuthn_session"
@@ -1607,7 +1597,7 @@ sub sloServer {
         else {
             $req->{urldc} =
               $self->conf->{portal} . '/saml/relaySingleLogoutTermination';
-            $self->p->setHiddenFormValue( 'relay', $relayID );
+            $self->p->setHiddenFormValue( $req, 'relay', $relayID );
             return $self->do( $req, [] );
         }
 

lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Main/Constants.pm

@@ -89,6 +89,7 @@ use constant {
     PE_TOKENEXPIRED                     => 82,
     PE_U2FFAILED                        => 83,
     PE_UNAUTHORIZEDPARTNER              => 84,
+    PE_RENEWSESSION                     => 85,
 };
 
 # EXPORTER PARAMETERS
@@ -114,7 +115,7 @@ our @EXPORT_OK = qw( PE_SENDRESPONSE PE_INFO PE_REDIRECT PE_DONE PE_OK
   PE_RADIUSCONNECTFAILED PE_MUST_SUPPLY_OLD_PASSWORD PE_FORBIDDENIP
   PE_CAPTCHAERROR PE_CAPTCHAEMPTY PE_REGISTERFIRSTACCESS PE_REGISTERFORMEMPTY
   PE_REGISTERALREADYEXISTS PE_NOTOKEN PE_TOKENEXPIRED HANDLER PE_U2FFAILED
-  PE_UNAUTHORIZEDPARTNER
+  PE_UNAUTHORIZEDPARTNER PE_RENEWSESSION
 );
 our %EXPORT_TAGS = ( 'all' => [ @EXPORT_OK, 'import' ], );
 

lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Main/Display.pm

@@ -139,6 +139,16 @@ sub display {
         );
     }
 
+    elsif ( $req->error == PE_RENEWSESSION ) {
+        $skinfile = 'upgradesession';
+        %templateParams = (
+            MSG        => 'askToRenew',
+            CONFIRMKEY => $self->stamp,
+            PORTAL     => $self->conf->{portal},
+            URL        => $req->datas->{_url},
+        );
+    }
+
     # 2.3 Case : user authenticated but an error was returned (bas url,...)
     elsif ( not $req->datas->{noerror} and $req->userData and %{ $req->userData } ) {
         $skinfile       = 'error';

lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Main/Issuer.pm

@@ -10,7 +10,10 @@ package Lemonldap::NG::Portal::Main::Issuer;
 use strict;
 use Mouse;
 use IO::String;
-use Lemonldap::NG::Portal::Main::Constants qw(PE_OK);
+use Lemonldap::NG::Portal::Main::Constants qw(
+  PE_OK
+  PE_RENEWSESSION
+);
 
 extends 'Lemonldap::NG::Portal::Main::Plugin';
 
@@ -72,7 +75,7 @@ sub _redirect {
     my $ir =
       $req->param( 'issuerRequest' . $self->path ) || $self->storeRequest($req);
     $self->p->setHiddenFormValue( $req, 'issuerRequest' . $self->path,
-        $ir, '', 0 );
+        $ir, '' );
     $req->{urldc} = $self->conf->{portal};
     $req->{urldc} =~ s#/*$##;
     $req->{urldc} .= $req->path . "?issuerRequest$self->{path}=$ir";
@@ -149,6 +152,14 @@ sub restoreRequest {
     return $req;
 }
 
+sub reAuth {
+    my ( $self, $req ) = @_;
+    $req->datas->{_url} = encode_base64(
+        $self->conf->{portal} . '?issuerRequest=' . $self->storeRequest($req),
+        '' );
+    return PE_RENEWSESSION;
+}
+
 1;
 __END__
 

lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Plugins/Upgrade.pm

@@ -47,6 +47,7 @@ sub ask {
         $req,
         'upgradesession',
         params => {
+            MSG        => 'askToUpgrade',
             CONFIRMKEY => $self->p->stamp,
             PORTAL     => $self->conf->{portal},
             URL        => $req->param('url'),

lemonldap-ng-portal/site/htdocs/static/languages/en.json

@@ -84,18 +84,13 @@
 "PE82":"Exceeded authentication timeout",
 "PE83":"U2F verification failed",
 "PE84":"You're not authorizated to access to this host",
-"PM8":"Select your Identity Provider",
-"PM10":"Remember my choice",
-"PM11":"Logout from service providers...",
-"PM12":"Redirection in progress...",
-"PM13":"Go back to service provider",
-"PM17":"Update Common Domain Cookie",
 "accept":"Accept",
 "accessDenied":"You have no access authorization for this application",
 "accountCreated":"Your account has been created, your temporary password has been sent to your mail address.",
 "accountCreationSuccess":"Your account was successfully created.",
 "anotherInformation":"Another information:",
 "areYouSure":"Are you sure?",
+"askToRenew":"This application needs a more recent authentication. Do you want to reauthenticate ?",
 "askToUpgrade":"This application needs an higher authentication level. Do you want to reauthenticate ?",
 "authPortal":"Authentication portal",
 "authRemaining":"%s authentications remaining, change your password!",

lemonldap-ng-portal/site/htdocs/static/languages/fr.json

@@ -84,18 +84,13 @@
 "PE82":"Délai d'authentification dépassé",
 "PE83":"La vérification U2F a échoué",
 "PE84":"Vous n'êtes pas autorisé à accéder à ce site",
-"PM8":"Choisissez votre fournisseur d'identité",
-"PM10":"Se souvenir de mon choix",
-"PM11":"Déconnexion des services...",
-"PM12":"Redirection en cours...",
-"PM13":"Retourner sur le fournisseur de service",
-"PM17":"Mise à jour du cookie de domaine commun",
 "accept":"Accepter",
 "accessDenied":"Vous n'avez pas les droits d'accès à cette application",
 "accountCreated":"Votre compte a été créé, un mot de passe temporaire a été envoyé à votre adresse mail.",
 "accountCreationSuccess":"Votre compte a bien été créé.",
 "anotherInformation":"Une autre information :",
 "areYouSure":"Êtes vous sûr ?",
+"askToRenew":"Cette application nécessite une authentification plus récente. Voulez-vous vous réauthentifier ?",
 "askToUpgrade":"Cette application nécessite un plus haut niveau d'authentification. Voulez-vous vous réauthentifier ?",
 "authPortal":"Portail d'authentification",
 "authRemaining":"%s authentifications restantes, changez votre mot de passe !",

lemonldap-ng-portal/site/templates/bootstrap/upgradesession.tpl

@@ -1,6 +1,6 @@
 <TMPL_INCLUDE NAME="header.tpl">
 
-<div class="message message-positive alert"><span trspan="askToUpgrade"></span></div>
+<div class="message message-positive alert"><span trspan="<TMPL_VAR NAME="MSG">"></span></div>
 <form action="/upgradesession" method="post" class="password" role="form">
   <div class="form">
     <div class="form-group input-group">