Start hiding 2F secrets in logs

2 years ago · 726b57e7dd
parent 4afe7226d2
commit 726b57e7dd
3 changed files with 19 additions and 7 deletions
--- a/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/2F/Okta.pm
+++ b/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/2F/Okta.pm
@ -180,14 +180,18 @@ sub verify_external {
      $self->verifyFactor( $okta_userid, $selected_factor, $code );
    return PE_ERROR unless ($verify_factor_response);

-    $self->logger->debug(
-        "Verify 2FA code $code with factor $selected_factor for $okta_userid:"
+    $self->logger->debug( "Verify 2FA code " . $self->conf->{sfHideSecrets}
+        ? ""
+        : $code
+          . " with factor $selected_factor for $okta_userid:"
          . $verify_factor_response );
    my $okta_verification = $self->decodeJSON($verify_factor_response);

    unless ( $okta_verification->{factorResult} eq "SUCCESS" ) {
        $self->logger->error(
-            "Verifiation failed for code $code for $okta_userid in Okta");
+              "Verifiation failed for code " . $self->conf->{sfHideSecrets}
+            ? ""
+            : $code . " for $okta_userid in Okta" );
        return PE_BADOTP;
    }

--- a/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Lib/Code2F.pm
+++ b/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Lib/Code2F.pm
@ -92,7 +92,10 @@ sub challenge {
    if ( $self->code_activation ) {
        $code = $self->random->randregex( $self->code_activation );
        $self->logger->debug(
-            "Generated " . $self->prefix . "2f code : $code" );
+              $self->conf->{sfHideSecrets}
+            ? $self->prefix . "2f code generated"
+            : "Generated " . $self->prefix . "2f code : $code"
+        );
        $self->ott->updateToken( $token,
            '__' . $self->prefix . '2fcode' => $code );
    }
@ -229,7 +232,10 @@ sub verify_internal {
    }

    $self->logger->debug(
-        "Verifying " . $self->prefix . "2f code: $code VS $savedcode" );
+        $self->conf->{sfHideSecrets}
+        ? "Verifying " . $self->prefix . "2f submitted code VS saved code"
+        : "Verifying " . $self->prefix . "2f code: $code VS $savedcode"
+    );
    if ( $code eq $savedcode ) {
        return PE_OK;
    }
--- a/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Lib/Okta.pm
+++ b/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Lib/Okta.pm
@ -115,8 +115,10 @@ sub verifyFactor {

    if ( $verify_response->is_error ) {
        $self->logger->error(
-            "Unable to verify code $code for $okta_userid in Okta:"
-              . $verify_response->content );
+              "Unable to verify code " . $self->conf->{sfHideSecrets}
+            ? ""
+            : $code . " for $okta_userid in Okta:" . $verify_response->content
+        );
        return;
    }