WIP - Append PortalForceReAuthn (#1507)

lemonldap-ng-common/lib/Lemonldap/NG/Common/Conf/DefaultValues.pm

@@ -179,6 +179,8 @@ sub defaultValues {
         'portalDisplayRegister'              => 1,
         'portalErrorOnExpiredSession'        => 1,
         'portalForceAuthnInterval'           => 5,
+        'portalForceReAuthn'                 => 1,
+        'portalForceReAuthnTempo'            => 300,
         'portalPingInterval'                 => 60000,
         'portalRequireOldPassword'           => 1,
         'portalSkin'                         => 'bootstrap',

lemonldap-ng-manager/lib/Lemonldap/NG/Manager/Attributes.pm

@@ -2169,6 +2169,14 @@ qr/(?:(?:https?):\/\/(?:(?:(?:(?:(?:(?:[a-zA-Z0-9][-a-zA-Z0-9]*)?[a-zA-Z0-9])[.]
             'default' => 5,
             'type'    => 'int'
         },
+        'portalForceReAuthn' => {
+            'default' => 1,
+            'type'    => 'bool'
+        },
+        'portalForceReAuthnTempo' => {
+            'default' => 300,
+            'type'    => 'int'
+        },
         'portalOpenLinkInNewWindow' => {
             'default' => 0,
             'type'    => 'bool'

lemonldap-ng-manager/lib/Lemonldap/NG/Manager/Build/Attributes.pm

@@ -556,6 +556,17 @@ sub attributes {
             type          => 'bool',
             documentation => 'Check XSS',
         },
+        portalForceReAuthn => {
+            default       => 1,
+            type          => 'bool',
+            documentation => 'Enable force reAuthentification to access to Portal',
+        },
+        portalForceReAuthnTempo => {
+            default => 300,
+            type    => 'int',
+            documentation =>
+                'Portal force reAuthentification -> Tempo before try again',
+        },
         bruteForceProtection => {
             default       => 1,
             type          => 'bool',

lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Main/Constants.pm

@@ -92,6 +92,7 @@ use constant {
     PE_UNAUTHORIZEDPARTNER              => 84,
     PE_RENEWSESSION                     => 85,
     PE_WAIT                             => 86,
+    PE_MUSTREAUTHN                      => 87,
 };
 
 # EXPORTER PARAMETERS
@@ -117,7 +118,7 @@ our @EXPORT_OK = qw( PE_SENDRESPONSE PE_INFO PE_REDIRECT PE_DONE PE_OK
   PE_RADIUSCONNECTFAILED PE_MUST_SUPPLY_OLD_PASSWORD PE_FORBIDDENIP
   PE_CAPTCHAERROR PE_CAPTCHAEMPTY PE_REGISTERFIRSTACCESS PE_REGISTERFORMEMPTY
   PE_REGISTERALREADYEXISTS PE_NOTOKEN PE_TOKENEXPIRED HANDLER PE_U2FFAILED
-  PE_UNAUTHORIZEDPARTNER PE_RENEWSESSION PE_IDPCHOICE PE_WAIT
+  PE_UNAUTHORIZEDPARTNER PE_RENEWSESSION PE_IDPCHOICE PE_WAIT PE_MUSTREAUTHN
 );
 our %EXPORT_TAGS = ( 'all' => [ @EXPORT_OK, 'import' ], );
 

lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Main/Plugins.pm

@@ -24,6 +24,7 @@ our @pList = (
     upgradeSession             => '::Plugins::Upgrade',
     autoSigninRules            => '::Plugins::AutoSignin',
     checkState                 => '::Plugins::CheckState',
+    portalForceReAuthn         => '::Plugins::PortalForceReAuthn',
 );
 
 ##@method list enabledPlugins

lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Plugins/PortalForceReAuthn.pm

@@ -0,0 +1,35 @@
+package Lemonldap::NG::Portal::Plugins::PortalForceReAuthn;
+
+use Data::Dumper;
+use strict;
+use Mouse;
+use Lemonldap::NG::Portal::Main::Constants qw(PE_OK PE_MUSTREAUTHN);
+
+our $VERSION = '2.0.0';
+
+extends 'Lemonldap::NG::Portal::Main::Plugin';
+
+# INITIALIZATION
+
+use constant forAuthUser => 'run';
+
+sub init {1}
+
+# RUNNING METHOD
+
+sub run {
+    my ( $self, $req ) = @_;
+    my $portalURL = $self->conf->{portal};
+    my $HTTP_HOST = $req->env->{HTTP_HOST};
+    $self->logger->debug( "Portal URL -> " . Dumper($portalURL) );
+    $self->logger->debug( "HTTP_HOST -> " . Dumper($HTTP_HOST) );
+    if ( $req->env->{HTTP_HOST} and $portalURL =~ qr#\Q$HTTP_HOST# ) {
+        my $delta = time() - $req->{sessionInfo}->{_utime};
+        $self->logger->debug( "Delta with last Authn -> " . $delta );
+        $delta <= $self->conf->{portalForceReAuthnTempo}
+            ? return PE_OK
+            : return PE_MUSTREAUTHN;
+    }
+}
+
+1;